isrstealer | af587519aeb6d64f3559f7f93776c29523d3e613f1d6133fde09cb9e2685e620

Analysis

max time kernel
117s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af587519aeb6d64f3559f7f93776c29523d3e613f1d6133fde09cb9e2685e620.exe
Size

936KB
MD5

93afcb782bfddfb4f60d114fe22fc05e
SHA1

0125f4eb7cbd4eb14fedb74c3444a5ca50be8b24
SHA256

af587519aeb6d64f3559f7f93776c29523d3e613f1d6133fde09cb9e2685e620
SHA512

55dc4e2167a397187609bdf5cc3fddb874d3a58c70fd522b56bca396bcddda1ab73c08e413455a97ba2bf5c6ab8de2af888b76400e1a4e645984590d3686cdb7
SSDEEP

12288:Cat0EAH49n8BOaQWVZXN4xxN5nltL0LkbUcpC/SDbO86Cuw78YOJEn1GUEVQqYHI:tt24byZKxldbouu68GGUEtsh7N1tEuc

Score

10^/10

isrstealer collection evasion persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

resource	yara_rule
behavioral2/memory/4572-139-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4572-140-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2208-155-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/2208-156-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/2208-157-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/2208-155-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/2208-156-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/2208-157-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
2080	igfrxe.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4156-144-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4156-146-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4156-147-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4156-148-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4156-149-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2208-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2208-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2208-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2208-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2208-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	af587519aeb6d64f3559f7f93776c29523d3e613f1d6133fde09cb9e2685e620.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	igfrxe.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2yfzc537c8ap43 = "C:\\Users\\Admin\\2yfzc537c8ap43\\13989.vbs"	igfrxe.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	igfrxe.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	igfrxe.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2080 set thread context of 4572	2080	igfrxe.exe	91
PID 4572 set thread context of 4156	4572	RegSvcs.exe	92
PID 4572 set thread context of 2208	4572	RegSvcs.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	igfrxe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe
2080	igfrxe.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe
Token: SeDebugPrivilege	2080	igfrxe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4572	RegSvcs.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2080	1656	af587519aeb6d64f3559f7f93776c29523d3e613f1d6133fde09cb9e2685e620.exe	83
PID 1656 wrote to memory of 2080	1656	af587519aeb6d64f3559f7f93776c29523d3e613f1d6133fde09cb9e2685e620.exe	83
PID 1656 wrote to memory of 2080	1656	af587519aeb6d64f3559f7f93776c29523d3e613f1d6133fde09cb9e2685e620.exe	83
PID 2080 wrote to memory of 4572	2080	igfrxe.exe	91
PID 2080 wrote to memory of 4572	2080	igfrxe.exe	91
PID 2080 wrote to memory of 4572	2080	igfrxe.exe	91
PID 2080 wrote to memory of 4572	2080	igfrxe.exe	91
PID 2080 wrote to memory of 4572	2080	igfrxe.exe	91
PID 4572 wrote to memory of 4156	4572	RegSvcs.exe	92
PID 4572 wrote to memory of 4156	4572	RegSvcs.exe	92
PID 4572 wrote to memory of 4156	4572	RegSvcs.exe	92
PID 4572 wrote to memory of 4156	4572	RegSvcs.exe	92
PID 4572 wrote to memory of 4156	4572	RegSvcs.exe	92
PID 4572 wrote to memory of 4156	4572	RegSvcs.exe	92
PID 4572 wrote to memory of 4156	4572	RegSvcs.exe	92
PID 4572 wrote to memory of 4156	4572	RegSvcs.exe	92
PID 4572 wrote to memory of 2208	4572	RegSvcs.exe	93
PID 4572 wrote to memory of 2208	4572	RegSvcs.exe	93
PID 4572 wrote to memory of 2208	4572	RegSvcs.exe	93
PID 4572 wrote to memory of 2208	4572	RegSvcs.exe	93
PID 4572 wrote to memory of 2208	4572	RegSvcs.exe	93
PID 4572 wrote to memory of 2208	4572	RegSvcs.exe	93
PID 4572 wrote to memory of 2208	4572	RegSvcs.exe	93
PID 4572 wrote to memory of 2208	4572	RegSvcs.exe	93
PID 2080 wrote to memory of 2984	2080	igfrxe.exe	94
PID 2080 wrote to memory of 2984	2080	igfrxe.exe	94
PID 2080 wrote to memory of 2984	2080	igfrxe.exe	94
PID 2080 wrote to memory of 5048	2080	igfrxe.exe	95
PID 2080 wrote to memory of 5048	2080	igfrxe.exe	95
PID 2080 wrote to memory of 5048	2080	igfrxe.exe	95

C:\Users\Admin\AppData\Local\Temp\af587519aeb6d64f3559f7f93776c29523d3e613f1d6133fde09cb9e2685e620.exe
"C:\Users\Admin\AppData\Local\Temp\af587519aeb6d64f3559f7f93776c29523d3e613f1d6133fde09cb9e2685e620.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\2yfzc537c8ap43\igfrxe.exe
  "C:\Users\Admin\2yfzc537c8ap43\igfrxe.exe" LTTGysghrrbq.NKB
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\TdVKJvac6l.ini"
      4⤵
      PID:4156
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\G1qx3tcgy1.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:2208
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2YFZC5~1\run.vbs"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2YFZC5~1\run.vbs"
    3⤵
    PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2YFZC5~1\BeSWffW.HCU

Filesize
260KB

MD5
82c183a2c7792a6982e749bad783f548

SHA1
09e5fc45014a5d3de4b252f0ddc4772be29be81b

SHA256
c4f2b4402f66d7189f4a97caaf934d5e8fc72c1b47e34468a6b4659cfab53512

SHA512
1859d93434f040ef335e50b7b01deafda9e00521e3fd7cc91871e106d9047a4e8b548ce63c152a85a06e1620cbb5d317ff231f8071f931199df13c2e12109688

Download Submit
C:\Users\Admin\2YFZC5~1\SoOWxTjsHIsd.MPW

Filesize
175B

MD5
3162a3791d7e62e8c908e3b580e017b5

SHA1
2528c56ea8f417d77b93582ae36d9bd2dd6229d9

SHA256
98fb165b4700deb830d3ecbdb3964f25cb367e78c0345e7f29394c28d9dc826d

SHA512
1630e1cd61b6dea66148a04ea66c287377da169a2ea9decb868d67fbac03ee0b279cc8330f97b8c8d5b6521362218244d833b934bc31c5324776bc44d27bc615

Download Submit
C:\Users\Admin\2yfzc537c8ap43\LTTGysghrrbq.NKB

Filesize
32.4MB

MD5
a394cb183feb0ae92a066609b4d2e0fb

SHA1
45777a13bd47575d6e479cd256e50a5f8ea5f900

SHA256
eef41d8e93652938b756456a42c196bfcc499cc585dd34c6dd4ca1116956819c

SHA512
b3133a40095fa4a167a82f454e9ea69e91c9ca5ed086a404c5b08a72c3d0f6c89413212249053c21e2ec21e041a9be4e07547cf46412d9ddfc48c2c6ea89fa9e

Download Submit
C:\Users\Admin\2yfzc537c8ap43\igfrxe.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
C:\Users\Admin\2yfzc537c8ap43\igfrxe.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TdVKJvac6l.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/2208-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4156-147-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4156-149-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4156-148-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4156-146-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4156-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4572-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4572-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download