isrstealer | 25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe
Size

1.1MB
MD5

816cc4d38afcf2792be067bb64637ed9
SHA1

9d87f8340eec6469c9bdc25a6cac29e6cb5add93
SHA256

25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391
SHA512

5bb37ec318842ab1705bf7c46b66aaed60e5443da1ab50ad48cf328cd7f45793598a8f964c7930bc64e4fbc8fa698a9fcc0018ad81637555da8fa0b0dd7b63e3
SSDEEP

24576:GV+yqaLs4zzaWWc5cxAN+ENr6XovJIYKC19:YZLjphccM4vJvjP

Score

10^/10

isrstealer persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/628-64-0x0000000000400000-0x000000000044B000-memory.dmp	family_isrstealer
behavioral1/memory/628-66-0x0000000000400000-0x000000000044B000-memory.dmp	family_isrstealer
behavioral1/memory/628-67-0x0000000000401130-mapping.dmp	family_isrstealer
behavioral1/memory/628-88-0x0000000000400000-0x000000000044B000-memory.dmp	family_isrstealer

Executes dropped EXE 4 IoCs

pid	Process
1384	server.exe
628	server.exe
952	CHESTE~1.EXE
1668	server.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000122d2-56.dat	upx
behavioral1/memory/1384-58-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/files/0x000c0000000122d2-59.dat	upx
behavioral1/files/0x000c0000000122d2-60.dat	upx
behavioral1/files/0x000c0000000122d2-68.dat	upx
behavioral1/memory/1384-70-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/files/0x000c0000000122d2-77.dat	upx
behavioral1/memory/1668-78-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/files/0x000c0000000122d2-80.dat	upx
behavioral1/memory/1668-84-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1668-83-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/628-85-0x0000000002910000-0x00000000029C4000-memory.dmp	upx
behavioral1/memory/1668-86-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1668-87-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1384	server.exe
628	server.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1384-70-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral1/files/0x00090000000122e8-72.dat	autoit_exe
behavioral1/files/0x00090000000122e8-74.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1384 set thread context of 628	1384	server.exe	27
PID 628 set thread context of 1668	628	server.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
952	CHESTE~1.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE
952	CHESTE~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
628	server.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1384	1248	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	26
PID 1248 wrote to memory of 1384	1248	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	26
PID 1248 wrote to memory of 1384	1248	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	26
PID 1248 wrote to memory of 1384	1248	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	26
PID 1384 wrote to memory of 628	1384	server.exe	27
PID 1384 wrote to memory of 628	1384	server.exe	27
PID 1384 wrote to memory of 628	1384	server.exe	27
PID 1384 wrote to memory of 628	1384	server.exe	27
PID 1384 wrote to memory of 628	1384	server.exe	27
PID 1384 wrote to memory of 628	1384	server.exe	27
PID 1384 wrote to memory of 628	1384	server.exe	27
PID 1248 wrote to memory of 952	1248	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	28
PID 1248 wrote to memory of 952	1248	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	28
PID 1248 wrote to memory of 952	1248	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	28
PID 1248 wrote to memory of 952	1248	25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe	28
PID 628 wrote to memory of 1668	628	server.exe	29
PID 628 wrote to memory of 1668	628	server.exe	29
PID 628 wrote to memory of 1668	628	server.exe	29
PID 628 wrote to memory of 1668	628	server.exe	29
PID 628 wrote to memory of 1668	628	server.exe	29
PID 628 wrote to memory of 1668	628	server.exe	29
PID 628 wrote to memory of 1668	628	server.exe	29
PID 628 wrote to memory of 1668	628	server.exe	29
PID 628 wrote to memory of 1668	628	server.exe	29

C:\Users\Admin\AppData\Local\Temp\25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe
"C:\Users\Admin\AppData\Local\Temp\25f44adf8ceec3f90e02a02178fc377e26cda8c88293c6b9c5d27e5ac47c7391.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
      4⤵
      Executes dropped EXE
      PID:1668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHESTE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHESTE~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHESTE~1.EXE

Filesize
716KB

MD5
03b135d5a82914328feeca9b557e1329

SHA1
126b97ed98e020a3ea9e2643d65cea10d10ccb6b

SHA256
926dec9667febd791cec5997e6ae0cced3b4f17645f256ebdd3195728e263a6d

SHA512
21afd99dfa8f7d8627140bef4fe44a5d8993f44956005d17bf54e8d29eb16c2bbb58bf7ed0ff814b502a8c6a1fcdda427efaada32ecd72351dbf7ec014d81849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHESTE~1.EXE

Filesize
716KB

MD5
03b135d5a82914328feeca9b557e1329

SHA1
126b97ed98e020a3ea9e2643d65cea10d10ccb6b

SHA256
926dec9667febd791cec5997e6ae0cced3b4f17645f256ebdd3195728e263a6d

SHA512
21afd99dfa8f7d8627140bef4fe44a5d8993f44956005d17bf54e8d29eb16c2bbb58bf7ed0ff814b502a8c6a1fcdda427efaada32ecd72351dbf7ec014d81849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
581KB

MD5
75e274bcee8577e0e76181d50177c75e

SHA1
3fe1337482f9698af33ea00f47670462a6304530

SHA256
312b346df5feb4001960d9283088e5037d863ec261b143caae8386434384972a

SHA512
d93acfa5d4d23eb94d20569b5bca1e0ca37af0c34fa53e89819c3006b513c7de29e045e387666cf0ee7c8b0fcbacb1743e8f02532f3bd07ccc8e5e0320526083

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
581KB

MD5
75e274bcee8577e0e76181d50177c75e

SHA1
3fe1337482f9698af33ea00f47670462a6304530

SHA256
312b346df5feb4001960d9283088e5037d863ec261b143caae8386434384972a

SHA512
d93acfa5d4d23eb94d20569b5bca1e0ca37af0c34fa53e89819c3006b513c7de29e045e387666cf0ee7c8b0fcbacb1743e8f02532f3bd07ccc8e5e0320526083

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
581KB

MD5
75e274bcee8577e0e76181d50177c75e

SHA1
3fe1337482f9698af33ea00f47670462a6304530

SHA256
312b346df5feb4001960d9283088e5037d863ec261b143caae8386434384972a

SHA512
d93acfa5d4d23eb94d20569b5bca1e0ca37af0c34fa53e89819c3006b513c7de29e045e387666cf0ee7c8b0fcbacb1743e8f02532f3bd07ccc8e5e0320526083

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
581KB

MD5
75e274bcee8577e0e76181d50177c75e

SHA1
3fe1337482f9698af33ea00f47670462a6304530

SHA256
312b346df5feb4001960d9283088e5037d863ec261b143caae8386434384972a

SHA512
d93acfa5d4d23eb94d20569b5bca1e0ca37af0c34fa53e89819c3006b513c7de29e045e387666cf0ee7c8b0fcbacb1743e8f02532f3bd07ccc8e5e0320526083

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
581KB

MD5
75e274bcee8577e0e76181d50177c75e

SHA1
3fe1337482f9698af33ea00f47670462a6304530

SHA256
312b346df5feb4001960d9283088e5037d863ec261b143caae8386434384972a

SHA512
d93acfa5d4d23eb94d20569b5bca1e0ca37af0c34fa53e89819c3006b513c7de29e045e387666cf0ee7c8b0fcbacb1743e8f02532f3bd07ccc8e5e0320526083

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
581KB

MD5
75e274bcee8577e0e76181d50177c75e

SHA1
3fe1337482f9698af33ea00f47670462a6304530

SHA256
312b346df5feb4001960d9283088e5037d863ec261b143caae8386434384972a

SHA512
d93acfa5d4d23eb94d20569b5bca1e0ca37af0c34fa53e89819c3006b513c7de29e045e387666cf0ee7c8b0fcbacb1743e8f02532f3bd07ccc8e5e0320526083

Download Submit
memory/628-85-0x0000000002910000-0x00000000029C4000-memory.dmp

Filesize
720KB

Download
memory/628-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/628-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/628-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/628-61-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/628-88-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/628-89-0x0000000002910000-0x00000000029C4000-memory.dmp

Filesize
720KB

Download
memory/1248-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download
memory/1384-70-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1384-58-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1384-57-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1668-78-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1668-84-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1668-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1668-86-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1668-87-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download