isrstealer | 84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49

Analysis

max time kernel
125s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe
Size

396KB
MD5

a8ef2d5e506116cae0588c134067e490
SHA1

3501032b5e4dce90617788656d45724379c461aa
SHA256

84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49
SHA512

15351b82a74d8131a6fa2c605c0fef357b6659d9980ee36bae2e4661dd4b688ffce23463afb75169bdbd1dac36e30ec3169e31c86cb0b1ca27b6ce774cb71938
SSDEEP

12288:1sW8WRB7+0RDWj0h349/rC7Yt4ufjkz7hZJFiUzEA52JjH:yuRJ+tj0349/CaVgHhZJpn2JL

Score

10^/10

isrstealer stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/1080-59-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1080-62-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/1080-61-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1080-69-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1080-71-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1080-86-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 960 set thread context of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 1080 set thread context of 1072	1080	RegSvcs.exe	30
PID 1080 set thread context of 1576	1080	RegSvcs.exe	31
PID 960 set thread context of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1080	RegSvcs.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 960 wrote to memory of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 960 wrote to memory of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 960 wrote to memory of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 960 wrote to memory of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 960 wrote to memory of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 960 wrote to memory of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 960 wrote to memory of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 960 wrote to memory of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 960 wrote to memory of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 960 wrote to memory of 1080	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	29
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1072	1080	RegSvcs.exe	30
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 1080 wrote to memory of 1576	1080	RegSvcs.exe	31
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32
PID 960 wrote to memory of 932	960	84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe	32

C:\Users\Admin\AppData\Local\Temp\84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe
"C:\Users\Admin\AppData\Local\Temp\84f05dc3388e320815b9b4213746055bf5fed22e284808f262d6b2fade256a49.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\Rcyf684cfQ.ini"
    3⤵
    PID:1072
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\si5JpB5Ktq.ini"
    3⤵
    PID:1576
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /xSILlzCwXBSr /C:\Users\Admin\AppData\Roaming\xSILlzCwXBSr\xSILlzCwXBSr.exe
  2⤵
  PID:932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/932-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/932-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/932-87-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/932-85-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/932-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/932-78-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/932-81-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/960-70-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/960-55-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/960-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/960-88-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1080-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1080-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1080-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1080-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1080-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1080-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1080-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads