isrstealer | 282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11

General

Target

282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe
Size

1.4MB
MD5

72e772a6c4da883b1ca8908ed182036d
SHA1

04ff56a156750d83ce715a79e3e6250b3e7b4b81
SHA256

282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11
SHA512

532d6c2d9e29c1c75ce1ee9a950978154361f2dbf4c5bc289bb06372f4133c35b6b4218f0c4a47257a899a87ea74cd9a1fbc7235a839b8dda305d6842cda266f

Score

10^/10

isrstealer collection stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4348-131-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4348-136-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1004-145-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1004-146-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1004-147-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1004-148-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 4 IoCs

resource	yara_rule
behavioral2/memory/1004-145-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1004-146-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1004-147-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1004-148-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1004-142-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1004-144-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1004-145-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1004-146-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1004-147-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1004-148-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4232 set thread context of 4348	4232	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	80
PID 4348 set thread context of 400	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	81
PID 4348 set thread context of 1004	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2188	400	WerFault.exe	81

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4348	4232	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	80
PID 4232 wrote to memory of 4348	4232	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	80
PID 4232 wrote to memory of 4348	4232	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	80
PID 4232 wrote to memory of 4348	4232	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	80
PID 4232 wrote to memory of 4348	4232	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	80
PID 4348 wrote to memory of 400	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	81
PID 4348 wrote to memory of 400	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	81
PID 4348 wrote to memory of 400	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	81
PID 4348 wrote to memory of 400	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	81
PID 4348 wrote to memory of 400	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	81
PID 4348 wrote to memory of 400	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	81
PID 4348 wrote to memory of 400	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	81
PID 4348 wrote to memory of 400	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	81
PID 4348 wrote to memory of 1004	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	85
PID 4348 wrote to memory of 1004	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	85
PID 4348 wrote to memory of 1004	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	85
PID 4348 wrote to memory of 1004	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	85
PID 4348 wrote to memory of 1004	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	85
PID 4348 wrote to memory of 1004	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	85
PID 4348 wrote to memory of 1004	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	85
PID 4348 wrote to memory of 1004	4348	282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe	85

C:\Users\Admin\AppData\Local\Temp\282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe
"C:\Users\Admin\AppData\Local\Temp\282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe
  "C:\Users\Admin\AppData\Local\Temp\282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\nwuEH1JIUL.ini"
    3⤵
    PID:400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 80
      4⤵
      Program crash
      PID:2188
- - C:\Users\Admin\AppData\Local\Temp\282af5294cd9e32e8c4cc3faa90fb46082571679d7d37e30aef2755ec8b71c11.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\BYKLTwXkLE.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 400 -ip 400
1⤵
PID:2072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1004-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-147-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4348-131-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4348-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing