isrstealer | 8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4

General

Target

8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe
Size

732KB
MD5

0c0d93d9f6bdf6d06f2f5365bfce847f
SHA1

14ce91343363e99b28b66a459dcf22daccd3ec55
SHA256

8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4
SHA512

56817e714e9b051ee0577a69b21804548aaf868603d55ce845268e8b1b77c5b77a2ffee0bdbe3064af05f7d12611bef081dc7eb20e38858700dfba1fbf25db6b
SSDEEP

12288:iGKeZUuWhwjwZbwd1WT9uUY+N32aGvUpRMguefuOl7dlEm:fHuuGwdoTbBAWcyvEm

Score

10^/10

isrstealer persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1928-63-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1928-62-0x0000000000400000-0x000000000045A000-memory.dmp	family_isrstealer
behavioral1/memory/1928-60-0x0000000000400000-0x000000000045A000-memory.dmp	family_isrstealer
behavioral1/memory/1928-78-0x0000000000400000-0x000000000045A000-memory.dmp	family_isrstealer

Executes dropped EXE 1 IoCs

pid	Process
1928	vbc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1976-71-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1976-76-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1976-77-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1976-79-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
888	8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe"	8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 888 set thread context of 1928	888	8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 1928	888	8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe	28
PID 888 wrote to memory of 1928	888	8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe	28
PID 888 wrote to memory of 1928	888	8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe	28
PID 888 wrote to memory of 1928	888	8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe	28
PID 888 wrote to memory of 1928	888	8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe	28
PID 888 wrote to memory of 1928	888	8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe	28
PID 888 wrote to memory of 1928	888	8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe	28
PID 888 wrote to memory of 1928	888	8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe	28

C:\Users\Admin\AppData\Local\Temp\8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe
"C:\Users\Admin\AppData\Local\Temp\8600ba5fe6af2bb5f70e162bf22e34bf558a2dd9820ba50e2e5e2cdf71c3e5f4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\P3dlWkiJnO.ini"
    3⤵
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
37KB

MD5
e35bf8b5be46e2fb1a49c584e52541b3

SHA1
dc1b52330b9529175b3de9597c08abed04d39dc9

SHA256
a70b9edd59e9a564ef489e25f960f91b180b3943fa951a204c3f707999b8e107

SHA512
57b17306b8383500d562243e2aa991cbf638082a52f7e06472d2451c31c3f6730ba155cceab95c5f1c17c18b2a228bcb98d2b00a8a13f3e62626bcd946118edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
34KB

MD5
d6ca16e9943576d819b43ddb3613d102

SHA1
62822d3d40a273e2f423559ec5ffb1900040397e

SHA256
a36990615fb630c0823dfd633624c8efd55350d38be9a803183ef8d3a0826426

SHA512
634f1b211c65bedc4802042824199fb8090a85101b8ce55489f95f9162ebb9100ddea67aa71bf854c72af10720ec985c242af6ea1dec07a7c15327e75d178ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
45KB

MD5
49bfafd3c229e5fa2dfc981a83abffb1

SHA1
bd2532cab3d536a679443c68eddac5089ce356fb

SHA256
e906afb8878e022d7c2cdc9e76bec0b1aa7b73b0424f81afcf8afe26df577342

SHA512
433169154afa6ff5a3d09d23e0c16c543e391d1025030d8a61ee2212ef08b9300a8b53a6b9ecfea781ff7a8d2c617257c75b7979d55a358a4fc5209c938d2ce1

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
36KB

MD5
b717b299e6fd2fc44897056a596c4843

SHA1
3de2bceb4a81a69abc9473679157e2fcb1f5faa8

SHA256
a988032be64dc4c571d3099364871ffc68c415e68ca304bc83fe35b114523553

SHA512
ed97d90908000fd1dc62f9896df8512c83d64b794e7ba28ffa7e5cbed8446e0bc7e44cf9de710085662d65ae326af0ce1117c438d73dff04a501e8d1b99b6ba1

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
13KB

MD5
6c3e273a3b9907dd5469bf542aa6ae27

SHA1
824ebdb320e7fbcd71b239f553dcc5fe10197e19

SHA256
b8b318b8828e0c8181860705c1d41e2dc2106b096ff924ffcd5a45f22b24f95f

SHA512
57f2769edda6fcf76250c3681913db54ae2d89123253f529c20e507b2f79b88ce19597e7650c47e5a2f9473ec15b9fd448ca0b67b260644d3969c01ff83edbeb

Download Submit
memory/888-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/888-55-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/888-66-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-62-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1928-60-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1928-58-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1928-57-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1928-78-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1976-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1976-76-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1976-77-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1976-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing