isrstealer | 73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413

Analysis

max time kernel
48s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe
Size

361KB
MD5

fcfac837f8bc438090055bf1c8adc675
SHA1

f5df70e8ce133dd393881e4905b9aec4347e1ee6
SHA256

73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413
SHA512

85e4bde9605032a0809cb3e4f9109d0e5f46fac51ed92302a9623b254b00c484a77f588e90a74f014f553d426e4b25fca1bd365c28c39557364cc7f6b39737c9
SSDEEP

6144:pkU1ampKEpqs2WSH8EP6BEWCdrYnP9B2ZxrLTVoKYMvRAS5zz+Tv1:p3KEUs2WZKYP2DnTyZMvRLl

Score

10^/10

isrstealer stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/856-60-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/856-62-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/856-63-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/856-72-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/856-75-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 856 set thread context of 1236	856	RegAsm.exe	29
PID 856 set thread context of 1896	856	RegAsm.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
856	RegAsm.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 2004 wrote to memory of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 2004 wrote to memory of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 2004 wrote to memory of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 2004 wrote to memory of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 2004 wrote to memory of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 2004 wrote to memory of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 2004 wrote to memory of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 2004 wrote to memory of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 2004 wrote to memory of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 2004 wrote to memory of 856	2004	73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe	28
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1236	856	RegAsm.exe	29
PID 856 wrote to memory of 1896	856	RegAsm.exe	30
PID 856 wrote to memory of 1896	856	RegAsm.exe	30
PID 856 wrote to memory of 1896	856	RegAsm.exe	30
PID 856 wrote to memory of 1896	856	RegAsm.exe	30
PID 856 wrote to memory of 1896	856	RegAsm.exe	30
PID 856 wrote to memory of 1896	856	RegAsm.exe	30
PID 856 wrote to memory of 1896	856	RegAsm.exe	30
PID 856 wrote to memory of 1896	856	RegAsm.exe	30
PID 856 wrote to memory of 1896	856	RegAsm.exe	30
PID 856 wrote to memory of 1896	856	RegAsm.exe	30
PID 856 wrote to memory of 1896	856	RegAsm.exe	30
PID 856 wrote to memory of 1896	856	RegAsm.exe	30

C:\Users\Admin\AppData\Local\Temp\73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe
"C:\Users\Admin\AppData\Local\Temp\73b1ba0355d45ddbaf61331ae75d0cb5407abc0099d1b61d12a69ae8e390f413.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\6Unv6nHTfo.ini"
    3⤵
    PID:1236
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\sj4CZdVisL.ini"
    3⤵
    PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-75-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2004-55-0x0000000074CE0000-0x000000007528B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-56-0x0000000074CE0000-0x000000007528B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/2004-67-0x0000000074CE0000-0x000000007528B000-memory.dmp

Filesize
5.7MB

Download