isrstealer | 26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6

General

Target

26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe
Size

1.2MB
MD5

75e1d7d18b37a47f384bcf4ed05ebfd6
SHA1

8fe244eab3110ac69fd87173de07e62c80fa8dae
SHA256

26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6
SHA512

34ff9c146e0f88e8b8e88d515f1d1eb7c5fd336a6aa2f111a9fcdf693c520d4287951f1c1b9f55e94bfad92abeb685c495040a60e5a60ec47fda8793e307c661

Score

10^/10

isrstealer persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer Payload 5 IoCs

resource	yara_rule
behavioral1/memory/892-58-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral1/memory/892-60-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral1/memory/892-61-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/892-71-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral1/memory/892-73-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1668-65-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1668-69-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1668-70-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1668-72-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1668-74-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe"	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 892	1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	28
PID 892 set thread context of 1668	892	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe
1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe
1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe
1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe
1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
892	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 892	1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	28
PID 1736 wrote to memory of 892	1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	28
PID 1736 wrote to memory of 892	1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	28
PID 1736 wrote to memory of 892	1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	28
PID 1736 wrote to memory of 892	1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	28
PID 1736 wrote to memory of 892	1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	28
PID 1736 wrote to memory of 892	1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	28
PID 1736 wrote to memory of 892	1736	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	28
PID 892 wrote to memory of 1668	892	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	29
PID 892 wrote to memory of 1668	892	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	29
PID 892 wrote to memory of 1668	892	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	29
PID 892 wrote to memory of 1668	892	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	29
PID 892 wrote to memory of 1668	892	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	29
PID 892 wrote to memory of 1668	892	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	29
PID 892 wrote to memory of 1668	892	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	29
PID 892 wrote to memory of 1668	892	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	29
PID 892 wrote to memory of 1668	892	26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe	29

C:\Users\Admin\AppData\Local\Temp\26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe
"C:\Users\Admin\AppData\Local\Temp\26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe
  "C:\Users\Admin\AppData\Local\Temp\26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Users\Admin\AppData\Local\Temp\26dacc4039fe46089565614caf19300700e2eae430ac8d7f0f71c3ba652396f6.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\oKKChhMrdO.ini"
    3⤵
    PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/892-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/892-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/892-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/892-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/892-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1668-69-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1668-70-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1668-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1668-74-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1736-54-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing