isrstealer | 18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613

Analysis

max time kernel
100s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613.exe
Size

355KB
MD5

6adad5d248e3dc3e7b0a9eb421b2d3af
SHA1

cd0f3625f6400e79a6ee83298295b8934b32e25b
SHA256

18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613
SHA512

1735f7444747212ddcc244de569652bbb8d2f43df46f46f3b1471ebccff04953029adff50d9fcb96c3cbb18a1294298ffca8f45ab48a0b505702b9450a78725c
SSDEEP

6144:dRPJyiBMhtDSmB9HgZ8ZG+chtJIPVa4VF1g6RXHYc59wJeP+c0eUrMFDE7ukHmoy:hpgRSmB9AAGhtJI4w1Bt4WGsDE7ukHm9

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3312-141-0x0000000000000000-mapping.dmp	family_isrstealer
behavioral2/memory/3312-142-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/3312-157-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral2/memory/3312-159-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2572-153-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/2572-158-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/2572-160-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/2572-153-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/2572-158-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/2572-160-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

pid	Process
2396	keygen.exe
4956	xmen.exe
3312	xmen.exe
4520	xmen.exe
2572	xmen.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4956 set thread context of 3312	4956	xmen.exe	85
PID 3312 set thread context of 4520	3312	xmen.exe	86
PID 4520 set thread context of 2572	4520	xmen.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3312	xmen.exe
3312	xmen.exe
3312	xmen.exe
3312	xmen.exe
3312	xmen.exe
3312	xmen.exe
3312	xmen.exe
3312	xmen.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4956	xmen.exe
3312	xmen.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 2396	4444	18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613.exe	83
PID 4444 wrote to memory of 2396	4444	18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613.exe	83
PID 4444 wrote to memory of 2396	4444	18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613.exe	83
PID 4444 wrote to memory of 4956	4444	18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613.exe	84
PID 4444 wrote to memory of 4956	4444	18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613.exe	84
PID 4444 wrote to memory of 4956	4444	18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613.exe	84
PID 4956 wrote to memory of 3312	4956	xmen.exe	85
PID 4956 wrote to memory of 3312	4956	xmen.exe	85
PID 4956 wrote to memory of 3312	4956	xmen.exe	85
PID 4956 wrote to memory of 3312	4956	xmen.exe	85
PID 4956 wrote to memory of 3312	4956	xmen.exe	85
PID 4956 wrote to memory of 3312	4956	xmen.exe	85
PID 4956 wrote to memory of 3312	4956	xmen.exe	85
PID 4956 wrote to memory of 3312	4956	xmen.exe	85
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 3312 wrote to memory of 4520	3312	xmen.exe	86
PID 4520 wrote to memory of 2572	4520	xmen.exe	87
PID 4520 wrote to memory of 2572	4520	xmen.exe	87
PID 4520 wrote to memory of 2572	4520	xmen.exe	87
PID 4520 wrote to memory of 2572	4520	xmen.exe	87
PID 4520 wrote to memory of 2572	4520	xmen.exe	87

C:\Users\Admin\AppData\Local\Temp\18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613.exe
"C:\Users\Admin\AppData\Local\Temp\18421aea49ec967d347429f0cc20d7026fad6d3ca6199cd25bb77cab5a111613.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\xmen.exe
  "C:\Users\Admin\AppData\Local\Temp\xmen.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\xmen.exe
    "C:\Users\Admin\AppData\Local\Temp\xmen.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\xmen.exe
      "C:\Users\Admin\AppData\Local\Temp\xmen.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\xmen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xmen.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
        5⤵
        Executes dropped EXE
        
        PID:2572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
16KB

MD5
8a4390d407dff132c0a3ce7f470c8ce0

SHA1
7015aa43f5557896ce3b669633caa7415d49b024

SHA256
b2e1b4d52669c8b2babdbdc15009796625a63734f1563aac51039bcca705af4a

SHA512
549ec0d7a69daf0b28a786244e33b276e9cb1d48df376f246f006f835d868fdb3c23a4a6455d3756b181396c94323ad440e038509c24bf2975e7e2ba5bf797f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
16KB

MD5
8a4390d407dff132c0a3ce7f470c8ce0

SHA1
7015aa43f5557896ce3b669633caa7415d49b024

SHA256
b2e1b4d52669c8b2babdbdc15009796625a63734f1563aac51039bcca705af4a

SHA512
549ec0d7a69daf0b28a786244e33b276e9cb1d48df376f246f006f835d868fdb3c23a4a6455d3756b181396c94323ad440e038509c24bf2975e7e2ba5bf797f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmen.exe

Filesize
384KB

MD5
bc49de5370f097c554ee74fa01c598f3

SHA1
d597f3dbd46f079123c96e3646f418a5f5c3695b

SHA256
4e8712394effe5a1baf5b8e6cc20395172f58d77118a6a7bec67931d62c8f296

SHA512
49e60b44bce8498ec6925c5ab4221371e63fc2f6879f38e3ca578f0b5b9da24bef8b01de08fa543b9133ec09535e8633f6c19f07919ee7b4b8cdf5c6bf61dcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmen.exe

Filesize
384KB

MD5
bc49de5370f097c554ee74fa01c598f3

SHA1
d597f3dbd46f079123c96e3646f418a5f5c3695b

SHA256
4e8712394effe5a1baf5b8e6cc20395172f58d77118a6a7bec67931d62c8f296

SHA512
49e60b44bce8498ec6925c5ab4221371e63fc2f6879f38e3ca578f0b5b9da24bef8b01de08fa543b9133ec09535e8633f6c19f07919ee7b4b8cdf5c6bf61dcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmen.exe

Filesize
384KB

MD5
bc49de5370f097c554ee74fa01c598f3

SHA1
d597f3dbd46f079123c96e3646f418a5f5c3695b

SHA256
4e8712394effe5a1baf5b8e6cc20395172f58d77118a6a7bec67931d62c8f296

SHA512
49e60b44bce8498ec6925c5ab4221371e63fc2f6879f38e3ca578f0b5b9da24bef8b01de08fa543b9133ec09535e8633f6c19f07919ee7b4b8cdf5c6bf61dcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmen.exe

Filesize
384KB

MD5
bc49de5370f097c554ee74fa01c598f3

SHA1
d597f3dbd46f079123c96e3646f418a5f5c3695b

SHA256
4e8712394effe5a1baf5b8e6cc20395172f58d77118a6a7bec67931d62c8f296

SHA512
49e60b44bce8498ec6925c5ab4221371e63fc2f6879f38e3ca578f0b5b9da24bef8b01de08fa543b9133ec09535e8633f6c19f07919ee7b4b8cdf5c6bf61dcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmen.exe

Filesize
384KB

MD5
bc49de5370f097c554ee74fa01c598f3

SHA1
d597f3dbd46f079123c96e3646f418a5f5c3695b

SHA256
4e8712394effe5a1baf5b8e6cc20395172f58d77118a6a7bec67931d62c8f296

SHA512
49e60b44bce8498ec6925c5ab4221371e63fc2f6879f38e3ca578f0b5b9da24bef8b01de08fa543b9133ec09535e8633f6c19f07919ee7b4b8cdf5c6bf61dcb7

Download Submit
memory/2396-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2396-161-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2572-153-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2572-160-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2572-158-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3312-157-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3312-159-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3312-142-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4520-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4520-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4520-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4520-150-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download