isrstealer | 07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc

Analysis

max time kernel
123s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
Size

701KB
MD5

0f290201bfb725e1ff1bb560f686f176
SHA1

7ddb6af5c8645db20ab10c416dbdeb179b98f1a9
SHA256

07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc
SHA512

18b7c83f52269fc265e3fa82344bbb938372351dea42cfd6573e72c8f43e194aa8058e1ca539a85257a36ec85407a38a25d5496004012fe804921769015267c3
SSDEEP

12288:0/LN583RI3HfUbaDopr0BynlBd/m4gsqH5hdKbUZbguITHFVPQs:0/LN5soHmaspWynlT/9gbhKbeUuS

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
austin316

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3284-138-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral2/memory/3284-140-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral2/memory/3284-144-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral2/memory/3284-159-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4284-151-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/4284-155-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/4284-157-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/4284-151-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/4284-155-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/4284-157-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
5104	61413.exe
3504	Temp.exe
2580	Temp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	61413.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1944 set thread context of 3284	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	90
PID 3284 set thread context of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3812 set thread context of 4284	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
Token: SeDebugPrivilege	5104	61413.exe
Token: SeDebugPrivilege	3504	Temp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
3504	Temp.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 5104	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	89
PID 1944 wrote to memory of 5104	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	89
PID 1944 wrote to memory of 5104	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	89
PID 1944 wrote to memory of 3284	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	90
PID 1944 wrote to memory of 3284	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	90
PID 1944 wrote to memory of 3284	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	90
PID 1944 wrote to memory of 3284	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	90
PID 1944 wrote to memory of 3284	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	90
PID 1944 wrote to memory of 3284	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	90
PID 1944 wrote to memory of 3284	1944	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	90
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3284 wrote to memory of 3812	3284	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	91
PID 3812 wrote to memory of 4284	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	93
PID 3812 wrote to memory of 4284	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	93
PID 3812 wrote to memory of 4284	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	93
PID 3812 wrote to memory of 4284	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	93
PID 3812 wrote to memory of 4284	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	93
PID 3812 wrote to memory of 1544	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	92
PID 3812 wrote to memory of 1544	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	92
PID 3812 wrote to memory of 1544	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	92
PID 3812 wrote to memory of 2228	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	94
PID 3812 wrote to memory of 2228	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	94
PID 3812 wrote to memory of 2228	3812	07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe	94
PID 5104 wrote to memory of 3504	5104	61413.exe	95
PID 5104 wrote to memory of 3504	5104	61413.exe	95
PID 5104 wrote to memory of 3504	5104	61413.exe	95
PID 3504 wrote to memory of 1108	3504	Temp.exe	96
PID 3504 wrote to memory of 1108	3504	Temp.exe	96
PID 3504 wrote to memory of 1108	3504	Temp.exe	96
PID 3504 wrote to memory of 2580	3504	Temp.exe	97
PID 3504 wrote to memory of 2580	3504	Temp.exe	97
PID 3504 wrote to memory of 2580	3504	Temp.exe	97

C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
"C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\61413.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\61413.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Roaming\Temp.exe
    "C:\Users\Admin\AppData\Roaming\Temp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe "C:\Users\Admin\AppData\Roaming\Temp.il"
      4⤵
      PID:1108
  - - C:\Users\Admin\AppData\Roaming\Temp.exe
      C:\Users\Admin\AppData\Roaming\Temp.exe
      4⤵
      Executes dropped EXE
      PID:2580
- C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
  "C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
    "C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
      "C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp
      4⤵
      PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
      "C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
      4⤵
      PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe
      "C:\Users\Admin\AppData\Local\Temp\07d49e3671e2d598147f9590069c67711964027bdc4e3dc556e641b5e873b7fc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp
      4⤵
      PID:2228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data.dmp

Filesize
54B

MD5
c10dbeca73f8835240e08e4511284b83

SHA1
0032f8f941cc07768189ca6ba32b1beede6b6917

SHA256
0b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e

SHA512
34f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\61413.exe

Filesize
120KB

MD5
387fa8dd13d0fec2f179d311b9952cf3

SHA1
d461b4244b5cde597fad723f0dfc5fb0c33f6b8a

SHA256
499d585eb0614f06f648f464a59f61d04794d6f2bfd9a4f6e1413e3309cb9d2c

SHA512
abed50ba51f27fce242b71335f462cbbcbe35d9936a7f77f71ee49f31df7d10e4fdab003d08740617582740204ed51463652d1228a73aa09f1023f3a5959a95d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\61413.exe

Filesize
120KB

MD5
387fa8dd13d0fec2f179d311b9952cf3

SHA1
d461b4244b5cde597fad723f0dfc5fb0c33f6b8a

SHA256
499d585eb0614f06f648f464a59f61d04794d6f2bfd9a4f6e1413e3309cb9d2c

SHA512
abed50ba51f27fce242b71335f462cbbcbe35d9936a7f77f71ee49f31df7d10e4fdab003d08740617582740204ed51463652d1228a73aa09f1023f3a5959a95d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp.exe

Filesize
120KB

MD5
387fa8dd13d0fec2f179d311b9952cf3

SHA1
d461b4244b5cde597fad723f0dfc5fb0c33f6b8a

SHA256
499d585eb0614f06f648f464a59f61d04794d6f2bfd9a4f6e1413e3309cb9d2c

SHA512
abed50ba51f27fce242b71335f462cbbcbe35d9936a7f77f71ee49f31df7d10e4fdab003d08740617582740204ed51463652d1228a73aa09f1023f3a5959a95d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp.exe

Filesize
120KB

MD5
387fa8dd13d0fec2f179d311b9952cf3

SHA1
d461b4244b5cde597fad723f0dfc5fb0c33f6b8a

SHA256
499d585eb0614f06f648f464a59f61d04794d6f2bfd9a4f6e1413e3309cb9d2c

SHA512
abed50ba51f27fce242b71335f462cbbcbe35d9936a7f77f71ee49f31df7d10e4fdab003d08740617582740204ed51463652d1228a73aa09f1023f3a5959a95d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp.il

Filesize
709B

MD5
dfe78bf008c12dd763d1c7c1268864e4

SHA1
33941204b40d8c68ec0b2a7a7d7b7085b8508f73

SHA256
9c75943cf3a0abaec4509318e0bb2a21a82100a31680a56ba7ef7b1a448308ee

SHA512
c43d043179ad87ee8e33d69fb174a8fa444f7c6cbb0af6f06dfaae281fa004c38523bb935589db0cc4a2c02b8a30ffa4c0d86b2f9503dcb763fd8b4962dafd51

Download Submit
memory/1944-142-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/1944-132-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/1944-133-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/2580-170-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/2580-167-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/3284-138-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3284-144-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3284-159-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3284-140-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3504-163-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/3504-169-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/3812-147-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3812-149-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3812-148-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3812-156-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4284-151-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4284-155-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4284-157-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5104-162-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/5104-145-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download