isrstealer | 9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278

General

Target

9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe
Size

357KB
MD5

bf4fe8d5d9c1eb3025af8d7a751d9c40
SHA1

0dc50e178debf85f7e003eb8ead837514ee88a37
SHA256

9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278
SHA512

9735cd0a6c22050b055e9dca4005d900664bc58d51cd4b7af5666e8c4b9efc71de7896a1f85ceceb362a6fb6eb0ed776d1a888d47a52ecca4fc7722c8a5137c9
SSDEEP

6144:9120bYng+O40hQTyYVa8ySLSY/wNfDM/H2wVkE5IYAzgo0pKTsuPQ47gXiCKxbWM:P5YgZH2ja8njP2wVkEhMQKTsL5

Score

10^/10

isrstealer collection stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2980-135-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2980-143-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2980-152-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4148-151-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4148-154-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4148-151-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4148-154-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4980-141-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4980-144-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4148-146-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4980-147-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4980-148-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4148-150-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4148-151-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4980-153-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4148-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exevbc.exe

description	pid	process	target process
PID 2452 set thread context of 2980	2452	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	vbc.exe
PID 2980 set thread context of 4980	2980	vbc.exe	vbc.exe
PID 2980 set thread context of 4148	2980	vbc.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe

description pid process

Token: SeDebugPrivilege 2452 9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

2980 vbc.exe

description	pid	process
Token: SeDebugPrivilege	2452	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe

pid	process
2980	vbc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exevbc.exe

description	pid	process	target process
PID 2452 wrote to memory of 2980	2452	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	vbc.exe
PID 2452 wrote to memory of 2980	2452	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	vbc.exe
PID 2452 wrote to memory of 2980	2452	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	vbc.exe
PID 2452 wrote to memory of 2980	2452	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	vbc.exe
PID 2452 wrote to memory of 2980	2452	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	vbc.exe
PID 2452 wrote to memory of 2980	2452	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	vbc.exe
PID 2452 wrote to memory of 2980	2452	9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe	vbc.exe
PID 2980 wrote to memory of 4980	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4980	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4980	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4980	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4980	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4980	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4980	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4980	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4148	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4148	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4148	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4148	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4148	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4148	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4148	2980	vbc.exe	vbc.exe
PID 2980 wrote to memory of 4148	2980	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe
"C:\Users\Admin\AppData\Local\Temp\9081ed87c8ee12275421cd90edd76ea4aca0daaab8a88441468c4e3f97afd278.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\mfdDjKJST5.ini"
3⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\YULgBd5HF5.ini"
3⤵
- Accesses Microsoft Outlook accounts
PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2452-133-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/2452-139-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/2452-132-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/2980-134-0x0000000000000000-mapping.dmp

Download
memory/2980-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2980-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2980-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4148-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4148-145-0x0000000000000000-mapping.dmp

Download
memory/4148-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4148-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4980-148-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4980-147-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4980-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4980-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4980-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads