isrstealer | 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6

General

Target

0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
Size

552KB
MD5

71ee4719874a577f4aacabe52668f341
SHA1

4e61f9699f3ff32871b493fcda3ee134d681a64a
SHA256

0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6
SHA512

147fd4618892c26ae9d00bee91416e3697b7e656cba21bd5fdd168e23026f7db70cfd1eadf8957b690152e31ac852c67d80d829142a47b5ab0fc7fa4fdd2096b
SSDEEP

6144:DooqCevklyNpFiq+6sqjBkEs2P+avFpPK39pe58EJGGdYBZvd9OVqq65scTiK/Rd:D6ZkENWgtvrwpeaHgS/OVqqys5DYH

Score

10^/10

isrstealer stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3212-135-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3212-137-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3212-148-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3212-152-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exetakshost.exe

description	pid	process	target process
PID 1632 set thread context of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 set thread context of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 2544 set thread context of 4124	2544	takshost.exe	takshost.exe
PID 3212 set thread context of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exetakshost.exe

pid	process
1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
2544	takshost.exe
2544	takshost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

pid process

1632 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exetakshost.exe

description	pid	process
Token: SeDebugPrivilege	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
Token: SeDebugPrivilege	2544	takshost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

pid process

3212 0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

pid	process
3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exetakshost.exe

description	pid	process	target process
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 1632 wrote to memory of 3212	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 1632 wrote to memory of 2544	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	takshost.exe
PID 1632 wrote to memory of 2544	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	takshost.exe
PID 1632 wrote to memory of 2544	1632	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe	takshost.exe
PID 2544 wrote to memory of 4124	2544	takshost.exe	takshost.exe
PID 2544 wrote to memory of 4124	2544	takshost.exe	takshost.exe
PID 2544 wrote to memory of 4124	2544	takshost.exe	takshost.exe
PID 2544 wrote to memory of 4124	2544	takshost.exe	takshost.exe
PID 2544 wrote to memory of 4124	2544	takshost.exe	takshost.exe
PID 2544 wrote to memory of 4124	2544	takshost.exe	takshost.exe
PID 2544 wrote to memory of 4124	2544	takshost.exe	takshost.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
PID 3212 wrote to memory of 0	3212	0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe

C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
"C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe
"C:\Users\Admin\AppData\Local\Temp\0f4810f7fb8e05a70ab4c3ea5fb8b9f598ec8221541f0627acebf851cb1c1dc6.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3212

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
3⤵
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/0-151-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/0-140-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1632-133-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1632-132-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1632-142-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/2544-149-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/2544-150-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/2544-141-0x0000000000000000-mapping.dmp

Download
memory/2544-143-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3212-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3212-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3212-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3212-134-0x0000000000000000-mapping.dmp

Download
memory/3212-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4124-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads