isrstealer | 161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6

General

Target

161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe
Size

404KB
MD5

4e41e8f87c89c2f7dd423a0750871b81
SHA1

fc85caa8b48841fbd8064fc7bbe3a1d13b2c8992
SHA256

161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6
SHA512

1eaf21197de113e55c2bdf2db6522245a2381d0696f9caa4f6c26e9443cdfe38f78c4d8a04e0b0baae58c1ee7a406fdf1336bfad4a921e1d6da2c09913f790ed
SSDEEP

12288:/B/USBseMoZWv6TuKHM+mm7Q2aQfRE6QMm:/BUJepkyTrHM+mEjaQftQ3

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1988-61-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1988-64-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1988-63-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1988-86-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/532-83-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/532-85-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/532-83-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/532-85-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1560-71-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1560-75-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1560-76-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1560-77-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/532-78-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/532-82-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/532-83-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1560-84-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/532-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1248 set thread context of 1988	1248	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	26
PID 1988 set thread context of 1560	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	27
PID 1988 set thread context of 532	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1988	1248	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	26
PID 1248 wrote to memory of 1988	1248	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	26
PID 1248 wrote to memory of 1988	1248	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	26
PID 1248 wrote to memory of 1988	1248	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	26
PID 1248 wrote to memory of 1988	1248	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	26
PID 1248 wrote to memory of 1988	1248	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	26
PID 1248 wrote to memory of 1988	1248	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	26
PID 1248 wrote to memory of 1988	1248	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	26
PID 1988 wrote to memory of 1560	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	27
PID 1988 wrote to memory of 1560	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	27
PID 1988 wrote to memory of 1560	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	27
PID 1988 wrote to memory of 1560	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	27
PID 1988 wrote to memory of 1560	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	27
PID 1988 wrote to memory of 1560	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	27
PID 1988 wrote to memory of 1560	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	27
PID 1988 wrote to memory of 1560	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	27
PID 1988 wrote to memory of 1560	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	27
PID 1988 wrote to memory of 532	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	28
PID 1988 wrote to memory of 532	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	28
PID 1988 wrote to memory of 532	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	28
PID 1988 wrote to memory of 532	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	28
PID 1988 wrote to memory of 532	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	28
PID 1988 wrote to memory of 532	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	28
PID 1988 wrote to memory of 532	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	28
PID 1988 wrote to memory of 532	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	28
PID 1988 wrote to memory of 532	1988	161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe	28

C:\Users\Admin\AppData\Local\Temp\161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe
"C:\Users\Admin\AppData\Local\Temp\161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe
  "C:\Users\Admin\AppData\Local\Temp\161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\8IgF5wRIO1.ini"
    3⤵
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\161d4de39ca95ff50682c36624d03beca497957619f7b69b5ecae8b045cf22f6.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\DeUYmF4p5D.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/532-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/532-82-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/532-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-55-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1248-56-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1248-57-0x0000000000C25000-0x0000000000C36000-memory.dmp

Filesize
68KB

Download
memory/1248-67-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1248-68-0x0000000000C25000-0x0000000000C36000-memory.dmp

Filesize
68KB

Download
memory/1560-77-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1560-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1560-75-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1560-76-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1560-84-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1988-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing