isrstealer | 67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe
Size

899KB
MD5

21754d03fc630d0941e6274fdb3bab17
SHA1

5c8f1db48fcd279769971517061386fb6bdefe78
SHA256

67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619
SHA512

c92c470054fb5967cde5fc1fa1926f057738bc5508f7271af31ac828191213fab12616a136cf5a8ffa272102d17db34b98c51f7cc743fddf33c2da4c5283c412
SSDEEP

12288:kRWNcr8oxnOS90QbJa6QE/rI+D00FsG0B3mgDnDK23nwAklwGgG0rWl6VIE2bSqV:/NBIO0/LIV0KG0BWOnDdn/kl4BrrF2fV

Score

10^/10

isrstealer collection stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/1348-66-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1348-67-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1348-81-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1348-94-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1348-95-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1548-92-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1548-93-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/1548-92-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1548-93-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
1916	wfEfCsjRy.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/732-73-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/732-77-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/732-79-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/732-80-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/732-82-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/732-83-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1548-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1548-89-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1548-91-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1548-92-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1548-93-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1812	67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe
1812	67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe
1812	67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1916 set thread context of 1348	1916	wfEfCsjRy.exe	29
PID 1348 set thread context of 732	1348	RegSvcs.exe	30
PID 1348 set thread context of 1548	1348	RegSvcs.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1916	wfEfCsjRy.exe
1916	wfEfCsjRy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	wfEfCsjRy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1348	RegSvcs.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1916	1812	67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe	28
PID 1812 wrote to memory of 1916	1812	67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe	28
PID 1812 wrote to memory of 1916	1812	67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe	28
PID 1812 wrote to memory of 1916	1812	67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe	28
PID 1812 wrote to memory of 1916	1812	67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe	28
PID 1812 wrote to memory of 1916	1812	67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe	28
PID 1812 wrote to memory of 1916	1812	67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe	28
PID 1916 wrote to memory of 1348	1916	wfEfCsjRy.exe	29
PID 1916 wrote to memory of 1348	1916	wfEfCsjRy.exe	29
PID 1916 wrote to memory of 1348	1916	wfEfCsjRy.exe	29
PID 1916 wrote to memory of 1348	1916	wfEfCsjRy.exe	29
PID 1916 wrote to memory of 1348	1916	wfEfCsjRy.exe	29
PID 1916 wrote to memory of 1348	1916	wfEfCsjRy.exe	29
PID 1916 wrote to memory of 1348	1916	wfEfCsjRy.exe	29
PID 1916 wrote to memory of 1348	1916	wfEfCsjRy.exe	29
PID 1916 wrote to memory of 1348	1916	wfEfCsjRy.exe	29
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 732	1348	RegSvcs.exe	30
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33
PID 1348 wrote to memory of 1548	1348	RegSvcs.exe	33

C:\Users\Admin\AppData\Local\Temp\67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe
"C:\Users\Admin\AppData\Local\Temp\67a572628783d938e92197ee95b706633f0c32719109f5bde8622a33e934d619.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\1h847n55gdu161\wfEfCsjRy.exe
  "C:\Users\Admin\1h847n55gdu161\wfEfCsjRy.exe" WKzDXmGySiNt.CCM
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\YuEUlp82VX.ini"
      4⤵
      PID:732
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\vEcS4KxlX3.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1H847N~1\OBQDDO~1.LQQ

Filesize
260KB

MD5
44035b71f93b971dded0dd0a1b57c0b0

SHA1
0f96f513799cfda1e5d0b6be8c6c904bd2741c61

SHA256
51e9fd794fbe0e8a7e73ec720c64424d7234b614ab18e061e480a6db66c97395

SHA512
fdb2b154befb4a792c0f5753f0d008af06955bb95090660928f9e3be2b176b75333311a3b5a858412c1c6cc941dd58e737d756a0417821a0df5ba2d950b8be4e

Download Submit
C:\Users\Admin\1H847N~1\uHgkAD.FRM

Filesize
35B

MD5
0d6a4699347514e83df3c756286d027b

SHA1
43f5c5ea798282b0681656314340918db4089640

SHA256
7d6376d1aed12fb95212a8a99ac33a3627cebbdb2556a30bcc1af487382c8713

SHA512
d74e02d8fc7b1b881e5566c23083de29cd7609e45f233734f90213120729917f6d9d19120365520e42ee32923f5afffe75c8713f1814f7d7e3c5458f28539c9c

Download Submit
C:\Users\Admin\1h847n55gdu161\WKzDXmGySiNt.CCM

Filesize
33.9MB

MD5
a7f9a232d82cc9a03f3070e2c7d6ff10

SHA1
7681f36df0d99103a69b5e55704c8f023e32bd77

SHA256
35737c7d963385ccc15f9f18d7472640886b3e80155f8da8f309298885c82a42

SHA512
27bc27bf7d90872852d0b3d6b029487bb668a01a5e17c2494c300ff8075b15c56f224f4d384b38ea0ef3e2a163f6d2ad004514215d240c18f098503c41f8f600

Download Submit
C:\Users\Admin\1h847n55gdu161\wfEfCsjRy.exe

Filesize
795KB

MD5
e1cd87c1a44c4b6584dd2df7d5bd2e9c

SHA1
7a271f98b88e9974618fda5f9a5f874434b44bc8

SHA256
da10f63ba3641ce01af17072e1bc67b28e4c2e990436b76714bd02e019b0b388

SHA512
276afc51891f7dc50b249faf65e9c7aa3c93997ee48cee829e3535287ef7d571ed29c5895822d78293f54c57deb4d6a2cf2c908b7d4f7869fc67cbaf64bd3f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuEUlp82VX.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
\Users\Admin\1h847n55gdu161\wfEfCsjRy.exe

Filesize
795KB

MD5
e1cd87c1a44c4b6584dd2df7d5bd2e9c

SHA1
7a271f98b88e9974618fda5f9a5f874434b44bc8

SHA256
da10f63ba3641ce01af17072e1bc67b28e4c2e990436b76714bd02e019b0b388

SHA512
276afc51891f7dc50b249faf65e9c7aa3c93997ee48cee829e3535287ef7d571ed29c5895822d78293f54c57deb4d6a2cf2c908b7d4f7869fc67cbaf64bd3f4a

Download Submit
\Users\Admin\1h847n55gdu161\wfEfCsjRy.exe

Filesize
795KB

MD5
e1cd87c1a44c4b6584dd2df7d5bd2e9c

SHA1
7a271f98b88e9974618fda5f9a5f874434b44bc8

SHA256
da10f63ba3641ce01af17072e1bc67b28e4c2e990436b76714bd02e019b0b388

SHA512
276afc51891f7dc50b249faf65e9c7aa3c93997ee48cee829e3535287ef7d571ed29c5895822d78293f54c57deb4d6a2cf2c908b7d4f7869fc67cbaf64bd3f4a

Download Submit
\Users\Admin\1h847n55gdu161\wfEfCsjRy.exe

Filesize
795KB

MD5
e1cd87c1a44c4b6584dd2df7d5bd2e9c

SHA1
7a271f98b88e9974618fda5f9a5f874434b44bc8

SHA256
da10f63ba3641ce01af17072e1bc67b28e4c2e990436b76714bd02e019b0b388

SHA512
276afc51891f7dc50b249faf65e9c7aa3c93997ee48cee829e3535287ef7d571ed29c5895822d78293f54c57deb4d6a2cf2c908b7d4f7869fc67cbaf64bd3f4a

Download Submit
memory/732-77-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/732-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/732-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/732-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/732-82-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/732-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1348-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1548-89-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1548-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1548-92-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1548-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download