isrstealer | 07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc

Analysis

max time kernel
66s
max time network
71s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
Size

701KB
MD5

0f290201bfb725e1ff1bb560f686f176
SHA1

7ddb6af5c8645db20ab10c416dbdeb179b98f1a9
SHA256

07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc
SHA512

18b7c83f52269fc265e3fa82344bbb938372351dea42cfd6573e72c8f43e194aa8058e1ca539a85257a36ec85407a38a25d5496004012fe804921769015267c3
SSDEEP

12288:0/LN583RI3HfUbaDopr0BynlBd/m4gsqH5hdKbUZbguITHFVPQs:0/LN5soHmaspWynlT/9gbhKbeUuS

Score

10^/10

isrstealer spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
austin316

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/952-66-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral1/memory/952-69-0x00000000004011F8-mapping.dmp	family_isrstealer
behavioral1/memory/952-68-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral1/memory/952-99-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral1/memory/952-107-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer

Nirsoft 3 IoCs

resource	yara_rule
behavioral1/memory/1928-96-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral1/memory/1928-97-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral1/memory/1928-100-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
1656	61413.exe
1692	Temp.exe
360	Temp.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1928-90-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1928-95-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1928-96-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1928-97-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1928-100-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1192 set thread context of 952	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	28
PID 952 set thread context of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 652 set thread context of 1928	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
Token: SeDebugPrivilege	1928	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
Token: SeDebugPrivilege	1656	61413.exe
Token: SeDebugPrivilege	1692	Temp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
1692	Temp.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1656	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	27
PID 1192 wrote to memory of 1656	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	27
PID 1192 wrote to memory of 1656	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	27
PID 1192 wrote to memory of 1656	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	27
PID 1192 wrote to memory of 952	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	28
PID 1192 wrote to memory of 952	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	28
PID 1192 wrote to memory of 952	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	28
PID 1192 wrote to memory of 952	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	28
PID 1192 wrote to memory of 952	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	28
PID 1192 wrote to memory of 952	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	28
PID 1192 wrote to memory of 952	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	28
PID 1192 wrote to memory of 952	1192	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	28
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 952 wrote to memory of 652	952	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	29
PID 652 wrote to memory of 1608	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	30
PID 652 wrote to memory of 1608	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	30
PID 652 wrote to memory of 1608	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	30
PID 652 wrote to memory of 1608	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	30
PID 652 wrote to memory of 1928	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	31
PID 652 wrote to memory of 1928	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	31
PID 652 wrote to memory of 1928	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	31
PID 652 wrote to memory of 1928	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	31
PID 652 wrote to memory of 1928	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	31
PID 652 wrote to memory of 1928	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	31
PID 652 wrote to memory of 1640	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	32
PID 652 wrote to memory of 1640	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	32
PID 652 wrote to memory of 1640	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	32
PID 652 wrote to memory of 1640	652	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	32
PID 1656 wrote to memory of 1692	1656	61413.exe	34
PID 1656 wrote to memory of 1692	1656	61413.exe	34
PID 1656 wrote to memory of 1692	1656	61413.exe	34
PID 1656 wrote to memory of 1692	1656	61413.exe	34
PID 1692 wrote to memory of 1300	1692	Temp.exe	36
PID 1692 wrote to memory of 1300	1692	Temp.exe	36
PID 1692 wrote to memory of 1300	1692	Temp.exe	36
PID 1692 wrote to memory of 1300	1692	Temp.exe	36
PID 1692 wrote to memory of 360	1692	Temp.exe	38
PID 1692 wrote to memory of 360	1692	Temp.exe	38
PID 1692 wrote to memory of 360	1692	Temp.exe	38
PID 1692 wrote to memory of 360	1692	Temp.exe	38

C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
"C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\61413.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\61413.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Roaming\Temp.exe
    "C:\Users\Admin\AppData\Roaming\Temp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe "C:\Users\Admin\AppData\Roaming\Temp.il"
      4⤵
      PID:1300
  - - C:\Users\Admin\AppData\Roaming\Temp.exe
      C:\Users\Admin\AppData\Roaming\Temp.exe
      4⤵
      Executes dropped EXE
      PID:360
- C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
  "C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
    "C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
      "C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
      4⤵
      PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
      "C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
      "C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp
      4⤵
      PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\61413.exe

Filesize
120KB

MD5
387fa8dd13d0fec2f179d311b9952cf3

SHA1
d461b4244b5cde597fad723f0dfc5fb0c33f6b8a

SHA256
499d585eb0614f06f648f464a59f61d04794d6f2bfd9a4f6e1413e3309cb9d2c

SHA512
abed50ba51f27fce242b71335f462cbbcbe35d9936a7f77f71ee49f31df7d10e4fdab003d08740617582740204ed51463652d1228a73aa09f1023f3a5959a95d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\61413.exe

Filesize
120KB

MD5
387fa8dd13d0fec2f179d311b9952cf3

SHA1
d461b4244b5cde597fad723f0dfc5fb0c33f6b8a

SHA256
499d585eb0614f06f648f464a59f61d04794d6f2bfd9a4f6e1413e3309cb9d2c

SHA512
abed50ba51f27fce242b71335f462cbbcbe35d9936a7f77f71ee49f31df7d10e4fdab003d08740617582740204ed51463652d1228a73aa09f1023f3a5959a95d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp.exe

Filesize
120KB

MD5
387fa8dd13d0fec2f179d311b9952cf3

SHA1
d461b4244b5cde597fad723f0dfc5fb0c33f6b8a

SHA256
499d585eb0614f06f648f464a59f61d04794d6f2bfd9a4f6e1413e3309cb9d2c

SHA512
abed50ba51f27fce242b71335f462cbbcbe35d9936a7f77f71ee49f31df7d10e4fdab003d08740617582740204ed51463652d1228a73aa09f1023f3a5959a95d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp.exe

Filesize
120KB

MD5
387fa8dd13d0fec2f179d311b9952cf3

SHA1
d461b4244b5cde597fad723f0dfc5fb0c33f6b8a

SHA256
499d585eb0614f06f648f464a59f61d04794d6f2bfd9a4f6e1413e3309cb9d2c

SHA512
abed50ba51f27fce242b71335f462cbbcbe35d9936a7f77f71ee49f31df7d10e4fdab003d08740617582740204ed51463652d1228a73aa09f1023f3a5959a95d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp.il

Filesize
709B

MD5
dfe78bf008c12dd763d1c7c1268864e4

SHA1
33941204b40d8c68ec0b2a7a7d7b7085b8508f73

SHA256
9c75943cf3a0abaec4509318e0bb2a21a82100a31680a56ba7ef7b1a448308ee

SHA512
c43d043179ad87ee8e33d69fb174a8fa444f7c6cbb0af6f06dfaae281fa004c38523bb935589db0cc4a2c02b8a30ffa4c0d86b2f9503dcb763fd8b4962dafd51

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\61413.exe

Filesize
120KB

MD5
387fa8dd13d0fec2f179d311b9952cf3

SHA1
d461b4244b5cde597fad723f0dfc5fb0c33f6b8a

SHA256
499d585eb0614f06f648f464a59f61d04794d6f2bfd9a4f6e1413e3309cb9d2c

SHA512
abed50ba51f27fce242b71335f462cbbcbe35d9936a7f77f71ee49f31df7d10e4fdab003d08740617582740204ed51463652d1228a73aa09f1023f3a5959a95d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\61413.exe

Filesize
120KB

MD5
387fa8dd13d0fec2f179d311b9952cf3

SHA1
d461b4244b5cde597fad723f0dfc5fb0c33f6b8a

SHA256
499d585eb0614f06f648f464a59f61d04794d6f2bfd9a4f6e1413e3309cb9d2c

SHA512
abed50ba51f27fce242b71335f462cbbcbe35d9936a7f77f71ee49f31df7d10e4fdab003d08740617582740204ed51463652d1228a73aa09f1023f3a5959a95d

Download Submit
memory/360-113-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/360-115-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/652-93-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/652-87-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/652-86-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/652-75-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/652-76-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/652-78-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/652-79-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/652-80-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/652-82-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/652-81-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/652-84-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/952-68-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/952-62-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/952-64-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/952-107-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/952-66-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/952-99-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1192-73-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1192-55-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1192-54-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1192-56-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-105-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-98-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-106-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-114-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-100-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1928-97-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1928-96-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1928-95-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1928-90-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1928-88-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download