isrstealer | 069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe
Size

1.2MB
MD5

122385771337be68407411abbb90c8ad
SHA1

8fdaa9b64239281ce74b5028a59d43d0551549c1
SHA256

069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3
SHA512

f8162ea96469fe4510172daa0d33c66e190f950d73d441895f1dcaf783866c385fba97509c5b4e0e81d77aea5aca5702dfbf42ef0bf85d75336e2036d2994c12
SSDEEP

24576:FIF6nnjqKoev8IgX9ERDoV4z+o25YV6HJfzag4D9vw9UpFTMZD6:FIojqKoevieRUeKYON4D9uULMZD6

Score

10^/10

isrstealer collection stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2044-85-0x0000000000400000-0x0000000000448000-memory.dmp	family_isrstealer
behavioral1/memory/2044-94-0x0000000000400000-0x0000000000448000-memory.dmp	family_isrstealer
behavioral1/memory/2044-100-0x0000000000400000-0x0000000000448000-memory.dmp	family_isrstealer
behavioral1/memory/2044-108-0x0000000000400000-0x0000000000448000-memory.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1800-106-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1800-107-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/1800-106-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1800-107-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
944	QhuAqp.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1988-64-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/1988-66-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/1988-67-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/1988-70-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/1988-71-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/1988-74-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2044-78-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2044-80-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2044-81-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2044-84-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2044-85-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/812-88-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/812-93-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/812-92-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2044-94-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/812-95-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/812-96-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1988-99-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2044-100-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1800-101-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1800-105-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1800-106-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1800-107-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2044-108-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1960	069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 944 set thread context of 1988	944	QhuAqp.exe	29
PID 1988 set thread context of 2044	1988	svchost.exe	30
PID 2044 set thread context of 812	2044	svchost.exe	31
PID 2044 set thread context of 1800	2044	svchost.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
944	QhuAqp.exe
944	QhuAqp.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
944	QhuAqp.exe
944	QhuAqp.exe
944	QhuAqp.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
944	QhuAqp.exe
944	QhuAqp.exe
944	QhuAqp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1988	svchost.exe
2044	svchost.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 944	1960	069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe	28
PID 1960 wrote to memory of 944	1960	069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe	28
PID 1960 wrote to memory of 944	1960	069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe	28
PID 1960 wrote to memory of 944	1960	069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe	28
PID 944 wrote to memory of 1988	944	QhuAqp.exe	29
PID 944 wrote to memory of 1988	944	QhuAqp.exe	29
PID 944 wrote to memory of 1988	944	QhuAqp.exe	29
PID 944 wrote to memory of 1988	944	QhuAqp.exe	29
PID 944 wrote to memory of 1988	944	QhuAqp.exe	29
PID 944 wrote to memory of 1988	944	QhuAqp.exe	29
PID 944 wrote to memory of 1988	944	QhuAqp.exe	29
PID 944 wrote to memory of 1988	944	QhuAqp.exe	29
PID 1988 wrote to memory of 2044	1988	svchost.exe	30
PID 1988 wrote to memory of 2044	1988	svchost.exe	30
PID 1988 wrote to memory of 2044	1988	svchost.exe	30
PID 1988 wrote to memory of 2044	1988	svchost.exe	30
PID 1988 wrote to memory of 2044	1988	svchost.exe	30
PID 1988 wrote to memory of 2044	1988	svchost.exe	30
PID 1988 wrote to memory of 2044	1988	svchost.exe	30
PID 1988 wrote to memory of 2044	1988	svchost.exe	30
PID 2044 wrote to memory of 812	2044	svchost.exe	31
PID 2044 wrote to memory of 812	2044	svchost.exe	31
PID 2044 wrote to memory of 812	2044	svchost.exe	31
PID 2044 wrote to memory of 812	2044	svchost.exe	31
PID 2044 wrote to memory of 812	2044	svchost.exe	31
PID 2044 wrote to memory of 812	2044	svchost.exe	31
PID 2044 wrote to memory of 812	2044	svchost.exe	31
PID 2044 wrote to memory of 812	2044	svchost.exe	31
PID 2044 wrote to memory of 812	2044	svchost.exe	31
PID 2044 wrote to memory of 1800	2044	svchost.exe	34
PID 2044 wrote to memory of 1800	2044	svchost.exe	34
PID 2044 wrote to memory of 1800	2044	svchost.exe	34
PID 2044 wrote to memory of 1800	2044	svchost.exe	34
PID 2044 wrote to memory of 1800	2044	svchost.exe	34
PID 2044 wrote to memory of 1800	2044	svchost.exe	34
PID 2044 wrote to memory of 1800	2044	svchost.exe	34
PID 2044 wrote to memory of 1800	2044	svchost.exe	34
PID 2044 wrote to memory of 1800	2044	svchost.exe	34

C:\Users\Admin\AppData\Local\Temp\069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe
"C:\Users\Admin\AppData\Local\Temp\069983c1b91e3baae09ca41c3928a8defe2aa506cd59e6d63575e6eaa6d2dca3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\QhuAqp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\QhuAqp.exe" "EPmfcM"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\SysWOW64\svchost.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\NcVVDvV2It.ini"
        5⤵
        
        PID:812
    - - C:\Windows\SysWOW64\svchost.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\2PRwsCSv0g.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NcVVDvV2It.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\EPmfcM

Filesize
4KB

MD5
c33972de451728010b789db71ca96ea2

SHA1
ef76706b8b11e3ca38021ea16eae228b2d2266f1

SHA256
38131c761147fb9520c835f21af120cc2d8dbb855cf9d50608941cc85bf3bc20

SHA512
b84ef73aafc3c6e23d2aab693f3804ff42f488fc779889d0443df704f4462e20ac6d6101fd0ad6aa0da2a9666bf4b2d59b20a3b00453116d524a706fe568f67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FewQAG.exe

Filesize
102KB

MD5
db2e369382ce29caf06f8a1fe2055d9c

SHA1
a64694660758632d4733d83c15519e23c1c37bdd

SHA256
f4b43f39c7f49489c6b6087951477be241af9977a9b65ea09ce0d88df91014b6

SHA512
0e6c6d4da3c246f54830b23bd017cfff9412769e4f217a30b64a1fe096afe0fe138e479b15faa48bc09a47a4f42a5bd97476740a71f24b28567ffb5eebb67bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QhuAqp.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QhuAqp.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RwFLOJ.txt

Filesize
876KB

MD5
8f0fbb38e468f1c804b281ee7329690c

SHA1
a215fc648bd7ee49976d28161f8b39aa34264738

SHA256
b6fa531a4038ad200a69f6401243d928b80dbcd7bbc29d3accb4c21b7a3dc53f

SHA512
68e96b836dda6f6c7934087034ec84c96396271c2bfba585b2296f4b30cc127561a75ffa07f1bd5444fdc87240f652daa9fc4d94d01e39a61f28d51baedba611

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
db2e369382ce29caf06f8a1fe2055d9c

SHA1
a64694660758632d4733d83c15519e23c1c37bdd

SHA256
f4b43f39c7f49489c6b6087951477be241af9977a9b65ea09ce0d88df91014b6

SHA512
0e6c6d4da3c246f54830b23bd017cfff9412769e4f217a30b64a1fe096afe0fe138e479b15faa48bc09a47a4f42a5bd97476740a71f24b28567ffb5eebb67bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.txt

Filesize
876KB

MD5
8f0fbb38e468f1c804b281ee7329690c

SHA1
a215fc648bd7ee49976d28161f8b39aa34264738

SHA256
b6fa531a4038ad200a69f6401243d928b80dbcd7bbc29d3accb4c21b7a3dc53f

SHA512
68e96b836dda6f6c7934087034ec84c96396271c2bfba585b2296f4b30cc127561a75ffa07f1bd5444fdc87240f652daa9fc4d94d01e39a61f28d51baedba611

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\QhuAqp.exe

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
memory/812-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-95-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-92-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-93-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1800-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1800-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1800-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1800-107-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1988-66-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1988-70-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1988-63-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1988-64-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1988-67-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1988-99-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1988-71-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1988-74-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2044-77-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2044-94-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2044-78-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2044-100-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2044-84-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2044-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2044-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2044-85-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2044-108-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download