isrstealer | 9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe
Size

1.2MB
MD5

675b2173674cd94a84a4eb20d2eafe6c
SHA1

c6ce45ac376cff4d5cc48a561850245a4be138a5
SHA256

9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016
SHA512

367a684b00bd8b2e4f5c915e4eae12efed44681afb369c5fe3eb555fbb9c59243afd1e29d8112428937025c9061fadb86b8e1e17e34ea9dc98c10c7b82351893
SSDEEP

24576:17uhAWsJKisl8xvymr9ZgKDrxyTkNr3OMJz33to2yERUr4aA:puW9bRxvfr9ZzxyC/JD3tPGs

Score

10^/10

isrstealer spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000005c51-57.dat	family_isrstealer
behavioral1/files/0x0008000000005c51-64.dat	family_isrstealer
behavioral1/files/0x0008000000005c51-65.dat	family_isrstealer
behavioral1/files/0x0008000000005c51-68.dat	family_isrstealer

Executes dropped EXE 3 IoCs

pid	Process
1964	1.exe
1504	2.exe
664	1.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012324-59.dat	upx
behavioral1/files/0x000a000000012324-62.dat	upx
behavioral1/memory/664-66-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/files/0x000a000000012324-70.dat	upx
behavioral1/files/0x000a000000012324-69.dat	upx
behavioral1/files/0x000a000000012324-71.dat	upx
behavioral1/memory/664-75-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/664-76-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1504-77-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/664-78-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/664-83-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1504-84-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1964	1.exe
1504	2.exe
1504	2.exe
1504	2.exe
1504	2.exe
1504	2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 664	1964	1.exe	30

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1964	1.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1964	1368	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	28
PID 1368 wrote to memory of 1964	1368	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	28
PID 1368 wrote to memory of 1964	1368	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	28
PID 1368 wrote to memory of 1964	1368	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	28
PID 1368 wrote to memory of 1504	1368	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	29
PID 1368 wrote to memory of 1504	1368	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	29
PID 1368 wrote to memory of 1504	1368	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	29
PID 1368 wrote to memory of 1504	1368	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	29
PID 1368 wrote to memory of 1504	1368	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	29
PID 1368 wrote to memory of 1504	1368	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	29
PID 1368 wrote to memory of 1504	1368	9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe	29
PID 1964 wrote to memory of 664	1964	1.exe	30
PID 1964 wrote to memory of 664	1964	1.exe	30
PID 1964 wrote to memory of 664	1964	1.exe	30
PID 1964 wrote to memory of 664	1964	1.exe	30
PID 1964 wrote to memory of 664	1964	1.exe	30
PID 1964 wrote to memory of 664	1964	1.exe	30
PID 1964 wrote to memory of 664	1964	1.exe	30
PID 1964 wrote to memory of 664	1964	1.exe	30
PID 1964 wrote to memory of 664	1964	1.exe	30

C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe
"C:\Users\Admin\AppData\Local\Temp\9491240fbdff36285ab31adbabb5de6aeb18cb6989474149c9b571ba84289016.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
    3⤵
    - Executes dropped EXE
    PID:664
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
296KB

MD5
0d52e0a349759ad3c5187c7977c90c29

SHA1
3dec01284642a30dfd5912c81036de52202862f7

SHA256
a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4

SHA512
66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
296KB

MD5
0d52e0a349759ad3c5187c7977c90c29

SHA1
3dec01284642a30dfd5912c81036de52202862f7

SHA256
a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4

SHA512
66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
296KB

MD5
0d52e0a349759ad3c5187c7977c90c29

SHA1
3dec01284642a30dfd5912c81036de52202862f7

SHA256
a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4

SHA512
66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
877KB

MD5
6da200844baa9ce4f9952e48eefced54

SHA1
d245932e01f8a4d55383c602d06a0116752d5619

SHA256
a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273

SHA512
d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
877KB

MD5
6da200844baa9ce4f9952e48eefced54

SHA1
d245932e01f8a4d55383c602d06a0116752d5619

SHA256
a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273

SHA512
d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

Download Submit
\Temp\0VK5IPQA\2\plugins\0\CustomUI.dll

Filesize
344KB

MD5
04eecd03af7eafb84b6581a5b37d275e

SHA1
3351059d04a2e9f9f0a3719083eeda03dab0f124

SHA256
39ba967edebb288f921c37348d7c21b05e3af40033e0eb386f35b4be2b04be50

SHA512
19088141aa48e1bb74202d09751006fa9182568750caa7e3132169c66c9fee4a784cb1139c954b1c940f9578cfa51be7474c09780cc6fda3022e69eeec9c21d9

Download Submit
\Temp\0VK5IPQA\unpack.dll

Filesize
34KB

MD5
705aa1dc6f5fb72a2182ffd2c95bfa2e

SHA1
08de4589e01d3f0f589209baf8b669fae04b5875

SHA256
ec8361e43f0f83d0da13261718b8791e5517375fce67b4055d390353a5b2ca00

SHA512
5d00edf396efc5c130e1e7071fe027afaaa35d4d746441a1f0e0736c4828941e55e49f5319f5c1739bd75d2b5e03504d59284b2754430e0053e3f8d5f2702e4d

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
296KB

MD5
0d52e0a349759ad3c5187c7977c90c29

SHA1
3dec01284642a30dfd5912c81036de52202862f7

SHA256
a0117f1b9d67f2201d6967743970e85569b6b8dca62a40f0edc1121b2f8ddfd4

SHA512
66563dd40d1bd15090a0dd61e359bc41e3b18f0d8d311f82ade8a93a4a45881917ce333f01960f3f7dc4840d23d3c3b8f74325a15e509682932e81f810b14aa3

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
877KB

MD5
6da200844baa9ce4f9952e48eefced54

SHA1
d245932e01f8a4d55383c602d06a0116752d5619

SHA256
a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273

SHA512
d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
877KB

MD5
6da200844baa9ce4f9952e48eefced54

SHA1
d245932e01f8a4d55383c602d06a0116752d5619

SHA256
a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273

SHA512
d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
877KB

MD5
6da200844baa9ce4f9952e48eefced54

SHA1
d245932e01f8a4d55383c602d06a0116752d5619

SHA256
a50055146089bdcc1a9756b00b7cdf9c9a5c7d07af88ba1c09b60ea584f38273

SHA512
d4c7a8fc6e436bf00166540ab45aeed675ca470842b93224cd1d89f56e9f82c052a1aedbb625c40c94690be9a8a8d82a354d78ac6619081f29adb8f8e176be02

Download Submit
memory/664-78-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/664-66-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/664-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/664-75-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/664-76-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1368-54-0x000007FEF3BF0000-0x000007FEF4613000-memory.dmp

Filesize
10.1MB

Download
memory/1368-55-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download
memory/1504-77-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1504-61-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1504-79-0x0000000000240000-0x00000000002A8000-memory.dmp

Filesize
416KB

Download
memory/1504-80-0x0000000000240000-0x00000000002A8000-memory.dmp

Filesize
416KB

Download
memory/1504-82-0x0000000002760000-0x00000000027BC000-memory.dmp

Filesize
368KB

Download
memory/1504-84-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1504-85-0x0000000000240000-0x00000000002A8000-memory.dmp

Filesize
416KB

Download
memory/1504-86-0x0000000000240000-0x00000000002A8000-memory.dmp

Filesize
416KB

Download
memory/1504-87-0x0000000000240000-0x00000000002A8000-memory.dmp

Filesize
416KB

Download