isrstealer | 3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88

General

Target

3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe
Size

742KB
MD5

e79aeb7ebd84de410563ae73e08bc6c8
SHA1

1d60e229f0a9e9c2343e1f2babd82361f7c93304
SHA256

3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88
SHA512

3f40a94979721f0f046e546642bc6290e06d890162ad4f47a496a01753e8b879c8a190ecf7b6366fb05b8510bc5ce6b7d40f591faa15bf7c740e27136e7fc468
SSDEEP

12288:aOW5xH/6Aku+mRA+VYn5JkwCCbPiVcoFDSEE3/M8Tj7:qLSl+6n5JkwjbPjoCPFf7

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022de6-135.dat	family_isrstealer
behavioral2/files/0x0006000000022de6-136.dat	family_isrstealer
behavioral2/files/0x0006000000022de6-141.dat	family_isrstealer
behavioral2/files/0x0006000000022de6-150.dat	family_isrstealer

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3080-153-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3080-154-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3080-155-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/3080-153-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3080-154-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3080-155-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
3808	tmp.exe
1512	tmp.exe
3080	tmp.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1512-140-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1512-143-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1512-144-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1512-145-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3080-149-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3080-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3080-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3080-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3080-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	tmp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3808 set thread context of 1512	3808	tmp.exe	86
PID 3808 set thread context of 3080	3808	tmp.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1680	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe
1680	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3808	tmp.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 3808	1680	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	84
PID 1680 wrote to memory of 3808	1680	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	84
PID 1680 wrote to memory of 3808	1680	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	84
PID 1680 wrote to memory of 3116	1680	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	85
PID 1680 wrote to memory of 3116	1680	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	85
PID 1680 wrote to memory of 3116	1680	3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe	85
PID 3808 wrote to memory of 1512	3808	tmp.exe	86
PID 3808 wrote to memory of 1512	3808	tmp.exe	86
PID 3808 wrote to memory of 1512	3808	tmp.exe	86
PID 3808 wrote to memory of 1512	3808	tmp.exe	86
PID 3808 wrote to memory of 1512	3808	tmp.exe	86
PID 3808 wrote to memory of 1512	3808	tmp.exe	86
PID 3808 wrote to memory of 1512	3808	tmp.exe	86
PID 3808 wrote to memory of 1512	3808	tmp.exe	86
PID 3808 wrote to memory of 3080	3808	tmp.exe	87
PID 3808 wrote to memory of 3080	3808	tmp.exe	87
PID 3808 wrote to memory of 3080	3808	tmp.exe	87
PID 3808 wrote to memory of 3080	3808	tmp.exe	87
PID 3808 wrote to memory of 3080	3808	tmp.exe	87
PID 3808 wrote to memory of 3080	3808	tmp.exe	87
PID 3808 wrote to memory of 3080	3808	tmp.exe	87
PID 3808 wrote to memory of 3080	3808	tmp.exe	87

C:\Users\Admin\AppData\Local\Temp\3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe
"C:\Users\Admin\AppData\Local\Temp\3b6b825c48d5169a01f446cb56ea4a410e3b0d7f6d85980bfdb6b509c160bb88.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\n3FCPTNol8.ini"
    3⤵
    - Executes dropped EXE
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\5u7M8meZMi.ini"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    PID:3080
- C:\Windows\temp\notepad .exe
  "C:\Windows\temp\notepad .exe"
  2⤵
  PID:3116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n3FCPTNol8.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
260KB

MD5
037f24e2e4901e234832e0a44b11713d

SHA1
127b8f22a1825db07962ed411fd90a6a58bf917d

SHA256
2549527c6cd40bc5c823bca275e4b3272b3c6dd2d2433f51831e96786b6531a3

SHA512
e786c771568e3e6d1a6aff91958b84646c454606a1f2a1cfa7b6901dcd112067e904fd73946163fa47419a1d4acfd7d72348d3735ed23c8ce1e466824a3b1f71

Download Submit
memory/1512-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1512-140-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1512-143-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1512-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1680-147-0x0000000074A00000-0x0000000074FB1000-memory.dmp

Filesize
5.7MB

Download
memory/1680-132-0x0000000074A00000-0x0000000074FB1000-memory.dmp

Filesize
5.7MB

Download
memory/1680-133-0x0000000074A00000-0x0000000074FB1000-memory.dmp

Filesize
5.7MB

Download
memory/3080-149-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing