isrstealer | ea4eb55ebf7e14785d300fbb24be2bdea633c4b78b69fe5fccf77a16cab5cccd

General

Target

ea4eb55ebf7e14785d300fbb24be2bdea633c4b78b69fe5fccf77a16cab5cccd
Size

470KB
Sample

221001-2jfl7sbegn
MD5

f3070124582666fa280f71dfe8eb4dd4
SHA1

37888ff39c2743f8ac240aa6b4a1a85e74fe11b6
SHA256

ea4eb55ebf7e14785d300fbb24be2bdea633c4b78b69fe5fccf77a16cab5cccd
SHA512

ab74f813aad11231aa4962cc72b18128508280c43e52951e01f669df2c5e6b757eb8e25692262ae073709bb9ae71e9c13b178d56ce41102de073318eb8c4984f
SSDEEP

6144:Qz7FWvZ7f1szXE3jM/4vPc1kH6wMG5a9T/iNJI+c8ItCslNlnzYdmcdlgXC60xre:Qzhw7fDjhHPMGxJfICslMmcdlgeTmDH7

Score

10^/10

Malware Config

Targets

- Target
  
  Catelog.jpg.exe
- Size
  
  123KB
- MD5
  
  458a2379358ae7cdd5a47059277338ca
- SHA1
  
  c3753cfa681d226b772a3ab6bc462a5c29791fa0
- SHA256
  
  d954de23f8e04cff445b91436fdaf60b05c18e115c3dda8afce8460d72fb1fa7
- SHA512
  
  fe182750f864b963f5ca970013bf5003dd108c7e7d69c981d9b8779b8276727b464fd5a1978dffd68e9e52e809bf7ce23206114d58f6aba3d87d4e8b5d768705
- SSDEEP
  
  3072:wJQ8sYDCBvQTYMGWdQUkv2Gc1eGktXENiTRWnTuX8Wr:yERqTfGDHv+DvoTROTu
Score

8^/10

persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Samples.jpg.exe
- Size
  
  392KB
- MD5
  
  d4bb706e3e461f1ccf390fc2fc786faf
- SHA1
  
  94b8dee04b501862d4b66f376a806ccaaebb4122
- SHA256
  
  ac2cfb961139a24edca708958b6f6a72666f3f711696065435fcf169bee64a56
- SHA512
  
  384a5639ed3e9074600430183634ba7bd52b26190041241012970e164dc6f08e6b4eef5f8d4ba9ab4ff79ad01cd08ed93e7f7e0b62662a5cce80fb2b80dee3cb
- SSDEEP
  
  12288:xZNq9Q5uxGnhiqti9tb/eT3BK/AMKEOL+:xua2GnUqtYyT8/xOL+
Score

10^/10

isrstealer collection persistence stealer trojan upx
- ISR Stealer
  ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
  trojan stealer isrstealer
- ISR Stealer payload
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Executes dropped EXE

Checks computer location settings

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

ISR Stealer

ISR Stealer payload

NirSoft MailPassView

Nirsoft

UPX packed file

Checks computer location settings

Loads dropped DLL

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4