isrstealer | 91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88

General

Target

91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe
Size

1.1MB
MD5

46208163f656bf94b2e45a543d5ede62
SHA1

cf2395325249c56aff449b8581242360ca7f4712
SHA256

91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88
SHA512

2457c265469244772c9bafcc91d9dfd05f6729d4306ce364241eba4b5415f82a50f319f176f9998a910136f09294e3b5e9bf3d7271632b0b8eccfdb64c2fb885
SSDEEP

24576:KaHMv6Corjqny/Q5S0WnXi1FlWJNY3WmNAZnPASur:K1vqjd/Q5SPXitWJNXIrr

Score

10^/10

isrstealer spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

resource	yara_rule
behavioral2/memory/5092-133-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer
behavioral2/memory/5092-140-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1728-137-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1728-139-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1728-141-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1728-142-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5092 set thread context of 1728	5092	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe
3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe
3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe
3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe
3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5092	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 5092	3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	83
PID 3448 wrote to memory of 5092	3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	83
PID 3448 wrote to memory of 5092	3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	83
PID 3448 wrote to memory of 5092	3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	83
PID 3448 wrote to memory of 5092	3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	83
PID 3448 wrote to memory of 5092	3448	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	83
PID 5092 wrote to memory of 1728	5092	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	85
PID 5092 wrote to memory of 1728	5092	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	85
PID 5092 wrote to memory of 1728	5092	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	85
PID 5092 wrote to memory of 1728	5092	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	85
PID 5092 wrote to memory of 1728	5092	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	85
PID 5092 wrote to memory of 1728	5092	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	85
PID 5092 wrote to memory of 1728	5092	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	85
PID 5092 wrote to memory of 1728	5092	91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe	85

C:\Users\Admin\AppData\Local\Temp\91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe
"C:\Users\Admin\AppData\Local\Temp\91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe
  "C:\Users\Admin\AppData\Local\Temp\91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\91e3e9cc577255c3515aabc14fc485521098421bc7d77c9bab64fbe9c7b5ab88.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
    3⤵
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1728-139-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1728-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1728-142-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5092-133-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5092-140-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing