isrstealer | 3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88

Analysis

max time kernel
98s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe
Size

742KB
MD5

e79aeb7ebd84de410563ae73e08bc6c8
SHA1

1d60e229f0a9e9c2343e1f2babd82361f7c93304
SHA256

3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88
SHA512

3f40a94979721f0f046e546642bc6290e06d890162ad4f47a496a01753e8b879c8a190ecf7b6366fb05b8510bc5ce6b7d40f591faa15bf7c740e27136e7fc468
SSDEEP

12288:aOW5xH/6Aku+mRA+VYn5JkwCCbPiVcoFDSEE3/M8Tj7:qLSl+6n5JkwjbPjoCPFf7

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000800000001399b-56.dat	family_isrstealer
behavioral1/files/0x000800000001399b-57.dat	family_isrstealer
behavioral1/files/0x000800000001399b-59.dat	family_isrstealer
behavioral1/files/0x000800000001399b-63.dat	family_isrstealer
behavioral1/files/0x000800000001399b-64.dat	family_isrstealer
behavioral1/files/0x000800000001399b-67.dat	family_isrstealer
behavioral1/files/0x000800000001399b-74.dat	family_isrstealer
behavioral1/files/0x000800000001399b-77.dat	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/904-82-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/904-84-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/904-82-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/904-84-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
852	tmp.exe
268	tmp.exe
904	tmp.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/268-65-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/268-70-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/268-71-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/268-72-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/904-75-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/268-79-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/904-82-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/904-81-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/904-84-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe
2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe
2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe
852	tmp.exe
852	tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	tmp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 268	852	tmp.exe	30
PID 852 set thread context of 904	852	tmp.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe
2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
852	tmp.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 852	2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	28
PID 2036 wrote to memory of 852	2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	28
PID 2036 wrote to memory of 852	2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	28
PID 2036 wrote to memory of 852	2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	28
PID 2036 wrote to memory of 1872	2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	29
PID 2036 wrote to memory of 1872	2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	29
PID 2036 wrote to memory of 1872	2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	29
PID 2036 wrote to memory of 1872	2036	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	29
PID 852 wrote to memory of 268	852	tmp.exe	30
PID 852 wrote to memory of 268	852	tmp.exe	30
PID 852 wrote to memory of 268	852	tmp.exe	30
PID 852 wrote to memory of 268	852	tmp.exe	30
PID 852 wrote to memory of 268	852	tmp.exe	30
PID 852 wrote to memory of 268	852	tmp.exe	30
PID 852 wrote to memory of 268	852	tmp.exe	30
PID 852 wrote to memory of 268	852	tmp.exe	30
PID 852 wrote to memory of 268	852	tmp.exe	30
PID 852 wrote to memory of 904	852	tmp.exe	31
PID 852 wrote to memory of 904	852	tmp.exe	31
PID 852 wrote to memory of 904	852	tmp.exe	31
PID 852 wrote to memory of 904	852	tmp.exe	31
PID 852 wrote to memory of 904	852	tmp.exe	31
PID 852 wrote to memory of 904	852	tmp.exe	31
PID 852 wrote to memory of 904	852	tmp.exe	31
PID 852 wrote to memory of 904	852	tmp.exe	31
PID 852 wrote to memory of 904	852	tmp.exe	31

C:\Users\Admin\AppData\Local\Temp\3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe
"C:\Users\Admin\AppData\Local\Temp\3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\vSaTdbaWfF.ini"
    3⤵
    - Executes dropped EXE
    PID:268
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\Fp5F483tmP.ini"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    PID:904
- C:\Windows\temp\notepad .exe
  "C:\Windows\temp\notepad .exe"
  2⤵
  PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
\Windows\Temp\notepad .exe

Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
memory/268-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/268-70-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/268-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/268-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/268-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/904-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-82-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/904-84-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-73-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-55-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/2036-83-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download