isrstealer | 403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe
Size

368KB
MD5

c1ffe666a1dfdb35dc3c5d4297025d19
SHA1

47ccdd6630e0ca19c2da66d7afe79f8f85a60b5d
SHA256

403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0
SHA512

18a05d479674d54bb9d1439c7ace24e24caf32ef750c85cefd66b94039d33c4f1c7cd46cbf26f5310e316b35fec1e4e358af51f2fbde5d74451e831bf2acdf36
SSDEEP

6144:DRAuog7deUAjpXZii1urqy4FVRO4lqaGClZFpRQwg5iwatmzZ/pPQ0:bZCpkuS4FV9l0Cl7nxgtzZBQ0

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1924-80-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/1924-81-0x00000000004011F0-mapping.dmp	family_isrstealer
behavioral1/memory/1924-90-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/1924-91-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Executes dropped EXE 3 IoCs

pid	Process
1788	Able2Extract_Keygen.exe
1760	006.exe
1924	006.exe

Loads dropped DLL 16 IoCs

pid	Process
1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe
1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe
1788	Able2Extract_Keygen.exe
1788	Able2Extract_Keygen.exe
1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe
1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe
1788	Able2Extract_Keygen.exe
1760	006.exe
1760	006.exe
1760	006.exe
1788	Able2Extract_Keygen.exe
1788	Able2Extract_Keygen.exe
1760	006.exe
1924	006.exe
1924	006.exe
1924	006.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 1924	1760	006.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1924	006.exe
1924	006.exe
1924	006.exe
1924	006.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1760	006.exe
1924	006.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1788	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	28
PID 1088 wrote to memory of 1788	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	28
PID 1088 wrote to memory of 1788	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	28
PID 1088 wrote to memory of 1788	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	28
PID 1088 wrote to memory of 1788	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	28
PID 1088 wrote to memory of 1788	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	28
PID 1088 wrote to memory of 1788	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	28
PID 1088 wrote to memory of 1760	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	29
PID 1088 wrote to memory of 1760	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	29
PID 1088 wrote to memory of 1760	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	29
PID 1088 wrote to memory of 1760	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	29
PID 1088 wrote to memory of 1760	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	29
PID 1088 wrote to memory of 1760	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	29
PID 1088 wrote to memory of 1760	1088	403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe	29
PID 1760 wrote to memory of 1924	1760	006.exe	30
PID 1760 wrote to memory of 1924	1760	006.exe	30
PID 1760 wrote to memory of 1924	1760	006.exe	30
PID 1760 wrote to memory of 1924	1760	006.exe	30
PID 1760 wrote to memory of 1924	1760	006.exe	30
PID 1760 wrote to memory of 1924	1760	006.exe	30
PID 1760 wrote to memory of 1924	1760	006.exe	30
PID 1760 wrote to memory of 1924	1760	006.exe	30
PID 1760 wrote to memory of 1924	1760	006.exe	30
PID 1760 wrote to memory of 1924	1760	006.exe	30
PID 1760 wrote to memory of 1924	1760	006.exe	30
PID 1760 wrote to memory of 1924	1760	006.exe	30

C:\Users\Admin\AppData\Local\Temp\403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe
"C:\Users\Admin\AppData\Local\Temp\403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\006.exe
  "C:\Users\Admin\AppData\Local\Temp\006.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\006.exe
    "C:\Users\Admin\AppData\Local\Temp\006.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
C:\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
C:\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe

Filesize
396KB

MD5
c4efbd75828df685ab7e1740e7bcd157

SHA1
687710f3569b294645aa026acdf78106c3d38e2c

SHA256
2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

SHA512
6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe

Filesize
396KB

MD5
c4efbd75828df685ab7e1740e7bcd157

SHA1
687710f3569b294645aa026acdf78106c3d38e2c

SHA256
2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

SHA512
6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

Download Submit
\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe

Filesize
396KB

MD5
c4efbd75828df685ab7e1740e7bcd157

SHA1
687710f3569b294645aa026acdf78106c3d38e2c

SHA256
2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

SHA512
6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

Download Submit
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe

Filesize
396KB

MD5
c4efbd75828df685ab7e1740e7bcd157

SHA1
687710f3569b294645aa026acdf78106c3d38e2c

SHA256
2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

SHA512
6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

Download Submit
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe

Filesize
396KB

MD5
c4efbd75828df685ab7e1740e7bcd157

SHA1
687710f3569b294645aa026acdf78106c3d38e2c

SHA256
2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

SHA512
6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

Download Submit
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe

Filesize
396KB

MD5
c4efbd75828df685ab7e1740e7bcd157

SHA1
687710f3569b294645aa026acdf78106c3d38e2c

SHA256
2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

SHA512
6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

Download Submit
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe

Filesize
396KB

MD5
c4efbd75828df685ab7e1740e7bcd157

SHA1
687710f3569b294645aa026acdf78106c3d38e2c

SHA256
2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

SHA512
6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

Download Submit
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe

Filesize
396KB

MD5
c4efbd75828df685ab7e1740e7bcd157

SHA1
687710f3569b294645aa026acdf78106c3d38e2c

SHA256
2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

SHA512
6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

Download Submit
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe

Filesize
396KB

MD5
c4efbd75828df685ab7e1740e7bcd157

SHA1
687710f3569b294645aa026acdf78106c3d38e2c

SHA256
2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

SHA512
6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

Download Submit
memory/1088-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1788-77-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-78-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-80-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1924-90-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1924-91-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download