isrstealer | 4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee

General

Target

4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
Size

653KB
MD5

6549791f95f9aef9b36bdc610e164544
SHA1

100124afab447d183bfa86dcab523d9b5e8e0eff
SHA256

4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee
SHA512

2701d24098a89c96808ae23d22581f113abeb15c26c70eb85ecdd859e7ae1a1846f543f5ce7f1a6e066664a228cfe41c273aae9b7470a853fe35f459582131eb
SSDEEP

12288:8yizl10AJba1TfklX/Sns/SF5lwEhTjRUC3so0bJ2OxNJ4xiJ48E:pEJbaZklKs/SrnJjR7sT76iJ

Score

10^/10

isrstealer stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4236-133-0x0000000000000000-mapping.dmp	family_isrstealer
behavioral2/memory/4064-136-0x0000000000000000-mapping.dmp	family_isrstealer

Drops desktop.ini file(s) 2 IoCs

Processes:

4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe

description	pid	process	target process
PID 3012 set thread context of 4236	3012	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 4236 set thread context of 4064	4236	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe

Drops file in Windows directory 3 IoCs

Processes:

4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
File created	C:\Windows\assembly\Desktop.ini	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe

description	pid	process
Token: SeDebugPrivilege	3012	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
Token: SeDebugPrivilege	4236	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe

description	pid	process	target process
PID 3012 wrote to memory of 4236	3012	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 3012 wrote to memory of 4236	3012	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 3012 wrote to memory of 4236	3012	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 3012 wrote to memory of 4236	3012	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 3012 wrote to memory of 4236	3012	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 3012 wrote to memory of 4236	3012	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 3012 wrote to memory of 4236	3012	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 4236 wrote to memory of 4064	4236	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 4236 wrote to memory of 4064	4236	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 4236 wrote to memory of 4064	4236	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 4236 wrote to memory of 4064	4236	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 4236 wrote to memory of 4064	4236	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 4236 wrote to memory of 4064	4236	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
PID 4236 wrote to memory of 4064	4236	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe	4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe

C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
"C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
C:\Users\Admin\AppData\Local\Temp\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe
3⤵
PID:4064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\4e093ee10067fc626d554b03a382c773997cfb438997f4f639a9aaec9e6964ee.exe.log
Filesize
128B

MD5
3d238ac6dd6710907edf2ad7893a0ed2

SHA1
b07aaeeb31bdc6e94097a254be088b092dc1fb68

SHA256
02d215d5b6ea166e6c4c4669547cbadecbb427d5baf394fbffc7ef374a967501

SHA512
c358aa68303aa99ebc019014b4c1fc2fbfa98733f1ea863bf78ca2b877dc5c610121115432d96504df9e43bdda637b067359b07228b6f129bc5ec9a01ed3ee24

Download Submit
memory/3012-132-0x00007FFD1E740000-0x00007FFD1F176000-memory.dmp

Filesize
10.2MB

Download
memory/4064-136-0x0000000000000000-mapping.dmp

Download
memory/4064-137-0x00007FFD1E740000-0x00007FFD1F176000-memory.dmp

Filesize
10.2MB

Download
memory/4236-133-0x0000000000000000-mapping.dmp

Download
memory/4236-135-0x00007FFD1E740000-0x00007FFD1F176000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads