isrstealer | 9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278

General

Target

9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe
Size

357KB
MD5

bf4fe8d5d9c1eb3025af8d7a751d9c40
SHA1

0dc50e178debf85f7e003eb8ead837514ee88a37
SHA256

9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278
SHA512

9735cd0a6c22050b055e9dca4005d900664bc58d51cd4b7af5666e8c4b9efc71de7896a1f85ceceb362a6fb6eb0ed776d1a888d47a52ecca4fc7722c8a5137c9
SSDEEP

6144:9120bYng+O40hQTyYVa8ySLSY/wNfDM/H2wVkE5IYAzgo0pKTsuPQ47gXiCKxbWM:P5YgZH2ja8njP2wVkEhMQKTsL5

Score

10^/10

isrstealer collection stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/1524-60-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1524-63-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1524-62-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1524-73-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1524-85-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1760-82-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1760-83-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1760-84-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral1/memory/1760-82-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1760-83-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1760-84-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1916-68-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1916-72-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1916-74-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1916-75-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1916-77-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1760-76-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1760-81-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1760-82-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1760-83-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1760-84-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 1524	1992	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	26
PID 1524 set thread context of 1916	1524	vbc.exe	27
PID 1524 set thread context of 1760	1524	vbc.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1524	vbc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1524	1992	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	26
PID 1992 wrote to memory of 1524	1992	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	26
PID 1992 wrote to memory of 1524	1992	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	26
PID 1992 wrote to memory of 1524	1992	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	26
PID 1992 wrote to memory of 1524	1992	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	26
PID 1992 wrote to memory of 1524	1992	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	26
PID 1992 wrote to memory of 1524	1992	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	26
PID 1992 wrote to memory of 1524	1992	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	26
PID 1524 wrote to memory of 1916	1524	vbc.exe	27
PID 1524 wrote to memory of 1916	1524	vbc.exe	27
PID 1524 wrote to memory of 1916	1524	vbc.exe	27
PID 1524 wrote to memory of 1916	1524	vbc.exe	27
PID 1524 wrote to memory of 1916	1524	vbc.exe	27
PID 1524 wrote to memory of 1916	1524	vbc.exe	27
PID 1524 wrote to memory of 1916	1524	vbc.exe	27
PID 1524 wrote to memory of 1916	1524	vbc.exe	27
PID 1524 wrote to memory of 1916	1524	vbc.exe	27
PID 1524 wrote to memory of 1760	1524	vbc.exe	28
PID 1524 wrote to memory of 1760	1524	vbc.exe	28
PID 1524 wrote to memory of 1760	1524	vbc.exe	28
PID 1524 wrote to memory of 1760	1524	vbc.exe	28
PID 1524 wrote to memory of 1760	1524	vbc.exe	28
PID 1524 wrote to memory of 1760	1524	vbc.exe	28
PID 1524 wrote to memory of 1760	1524	vbc.exe	28
PID 1524 wrote to memory of 1760	1524	vbc.exe	28
PID 1524 wrote to memory of 1760	1524	vbc.exe	28

C:\Users\Admin\AppData\Local\Temp\9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe
"C:\Users\Admin\AppData\Local\Temp\9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\ijlpq7W5la.ini"
    3⤵
    PID:1916
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\YeTafZ7fXq.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1524-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1524-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1524-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1524-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1524-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1760-84-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-82-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-75-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1916-77-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1916-74-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1916-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1916-68-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1992-67-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-56-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-55-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing