isrstealer | af08c380e3534dfcc64c8afb8c0422166de42f3d29c9005a4cf8a7c17c985825 | Triage

Submit
Reports

Overview

overview

Static

static

af08c380e3...25.exe

windows7-x64

af08c380e3...25.exe

windows10-2004-x64

Sharing

General

Target

af08c380e3534dfcc64c8afb8c0422166de42f3d29c9005a4cf8a7c17c985825
Size

434KB
Sample

221127-sngkmabf7s
MD5

668e3638176dbd775ec76a0008e089f7
SHA1

cf7a31ce45d69ec3a3592cea4b78b40d325758d6
SHA256

af08c380e3534dfcc64c8afb8c0422166de42f3d29c9005a4cf8a7c17c985825
SHA512

c40322fe21e3b6044eb866d4f3cf9e68fe183b816504c78f4700ee885706847d255ecda18325f2a234b9d935d3b87fd1d7581aba5ae8b0c4e9dd1f5a4449d9bb
SSDEEP

6144:otLUWAEMjr7UzJXnLxQ5fyZkWKEZbxOf9FT+taocZoRHsdaFkPAUayp1wF1L15fL:oc3rmdQ56/KEZbEjK+xaFV15hGUJ

Score

10^/10

isrstealer collection persistence spyware stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

af08c380e3534dfcc64c8afb8c0422166de42f3d29c9005a4cf8a7c17c985825.exe

Resource

win7-20221111-en

isrstealer collection persistence spyware stealer trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

af08c380e3534dfcc64c8afb8c0422166de42f3d29c9005a4cf8a7c17c985825.exe

Resource

win10v2004-20221111-en

isrstealer collection persistence spyware stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  af08c380e3534dfcc64c8afb8c0422166de42f3d29c9005a4cf8a7c17c985825
- Size
  
  434KB
- MD5
  
  668e3638176dbd775ec76a0008e089f7
- SHA1
  
  cf7a31ce45d69ec3a3592cea4b78b40d325758d6
- SHA256
  
  af08c380e3534dfcc64c8afb8c0422166de42f3d29c9005a4cf8a7c17c985825
- SHA512
  
  c40322fe21e3b6044eb866d4f3cf9e68fe183b816504c78f4700ee885706847d255ecda18325f2a234b9d935d3b87fd1d7581aba5ae8b0c4e9dd1f5a4449d9bb
- SSDEEP
  
  6144:otLUWAEMjr7UzJXnLxQ5fyZkWKEZbxOf9FT+taocZoRHsdaFkPAUayp1wF1L15fL:oc3rmdQ56/KEZbEjK+xaFV15hGUJ
Score

10^/10

isrstealer collection persistence spyware stealer trojan upx
- ISR Stealer
  ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
  trojan stealer isrstealer
- ISR Stealer payload
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

isrstealercollectionpersistencespywarestealertrojanupx

behavioral2

isrstealercollectionpersistencespywarestealertrojanupx

© 2018-2024

Terms | Privacy