isrstealer | be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911

General

Target

be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
Size

987KB
MD5

373c926191d73123ebe2f4bec74d8e69
SHA1

4accc998151d4d77a6115fb242d9a6e9552f6275
SHA256

be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911
SHA512

e40638297baf68a7defee0752f1492a3da0821de8d470dbefea3981d907e067a2a8c2ed09800d8bb36175d0b14e7009ffa960d6066a7f552d7f08834354fde9b
SSDEEP

24576:eRmJkqoQrilOIQ+yMxGa1OK0SQOb/KjW6:HJXoQryTiMxGa1tOOb/K9

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1900-58-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1900-60-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1900-61-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1900-71-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1900-73-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1900-82-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2020-79-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2020-80-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2020-83-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-79-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2020-80-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2020-83-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1500-65-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1500-69-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1500-70-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1500-72-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2020-74-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2020-78-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2020-79-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2020-80-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1500-81-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2020-83-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exebe94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

description	pid	process	target process
PID 868 set thread context of 1900	868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 set thread context of 1500	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 set thread context of 2020	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

pid	process
868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

pid	process
868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

pid process

1900 be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

pid	process
1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exebe94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

C:\Users\Admin\AppData\Local\Temp\be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
"C:\Users\Admin\AppData\Local\Temp\be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
"C:\Users\Admin\AppData\Local\Temp\be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\wzCy6ICWAL.ini"
3⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\J5wnDQ64Gu.ini"
3⤵
- Accesses Microsoft Outlook accounts
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/868-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/1500-66-0x00000000004512E0-mapping.dmp

Download
memory/1500-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1500-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1500-70-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1500-69-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1500-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1900-61-0x0000000000401180-mapping.dmp

Download
memory/1900-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1900-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1900-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1900-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1900-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1900-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1900-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2020-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-79-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-80-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-75-0x000000000041C410-mapping.dmp

Download
memory/2020-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

description	pid	process	target process
PID 868 wrote to memory of 1900	868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 868 wrote to memory of 1900	868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 868 wrote to memory of 1900	868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 868 wrote to memory of 1900	868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 868 wrote to memory of 1900	868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 868 wrote to memory of 1900	868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 868 wrote to memory of 1900	868	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 1500	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 1500	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 1500	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 1500	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 1500	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 1500	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 1500	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 1500	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 1500	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 2020	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 2020	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 2020	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 2020	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 2020	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 2020	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 2020	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 2020	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe
PID 1900 wrote to memory of 2020	1900	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe	be94edcb12e68b8045ef76481a94803da9515db03de02d1636eb8e33ec3ed911.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads