isrstealer | d21e0a13be0061653b88d7a5c62299f7658ff7f82e372760233ba775622a997e

General

Target

d21e0a13be0061653b88d7a5c62299f7658ff7f82e372760233ba775622a997e.exe
Size

1.7MB
MD5

8e909b372d7d2e2dd9c4009860353785
SHA1

49980560942fb08f9682f5f5f9fc9776f25c4ea3
SHA256

d21e0a13be0061653b88d7a5c62299f7658ff7f82e372760233ba775622a997e
SHA512

8ce9c2e5f1d2eb6e00f2dc95d1c13c3de455017bdd5ca1547751ad5fe686f88833bfcd9e5daf57c3d0cc32d3e3def917138cf5728a15034b57fbeff137e35bac
SSDEEP

49152:30cWXWjEJJ83Os4Gi1t4bdvBUgTGLxiuZ7t:35+qEr837/HExiuZB

Score

10^/10

isrstealer stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

resource	yara_rule
behavioral2/memory/8-137-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/8-140-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Executes dropped EXE 2 IoCs

pid	Process
3696	explorer.exe
2828	WinRAR.4.11.x64.en.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	d21e0a13be0061653b88d7a5c62299f7658ff7f82e372760233ba775622a997e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3696 set thread context of 8	3696	explorer.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
8	AppLaunch.exe
8	AppLaunch.exe
8	AppLaunch.exe
8	AppLaunch.exe
8	AppLaunch.exe
8	AppLaunch.exe
8	AppLaunch.exe
8	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
8	AppLaunch.exe
2828	WinRAR.4.11.x64.en.exe
2828	WinRAR.4.11.x64.en.exe
2828	WinRAR.4.11.x64.en.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3696	5036	d21e0a13be0061653b88d7a5c62299f7658ff7f82e372760233ba775622a997e.exe	81
PID 5036 wrote to memory of 3696	5036	d21e0a13be0061653b88d7a5c62299f7658ff7f82e372760233ba775622a997e.exe	81
PID 5036 wrote to memory of 3696	5036	d21e0a13be0061653b88d7a5c62299f7658ff7f82e372760233ba775622a997e.exe	81
PID 3696 wrote to memory of 8	3696	explorer.exe	84
PID 3696 wrote to memory of 8	3696	explorer.exe	84
PID 3696 wrote to memory of 8	3696	explorer.exe	84
PID 3696 wrote to memory of 8	3696	explorer.exe	84
PID 3696 wrote to memory of 8	3696	explorer.exe	84
PID 3696 wrote to memory of 8	3696	explorer.exe	84
PID 3696 wrote to memory of 8	3696	explorer.exe	84
PID 3696 wrote to memory of 8	3696	explorer.exe	84
PID 5036 wrote to memory of 2828	5036	d21e0a13be0061653b88d7a5c62299f7658ff7f82e372760233ba775622a997e.exe	85
PID 5036 wrote to memory of 2828	5036	d21e0a13be0061653b88d7a5c62299f7658ff7f82e372760233ba775622a997e.exe	85

C:\Users\Admin\AppData\Local\Temp\d21e0a13be0061653b88d7a5c62299f7658ff7f82e372760233ba775622a997e.exe
"C:\Users\Admin\AppData\Local\Temp\d21e0a13be0061653b88d7a5c62299f7658ff7f82e372760233ba775622a997e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:8
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\WinRAR.4.11.x64.en.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\WinRAR.4.11.x64.en.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\WinRAR.4.11.x64.en.exe

Filesize
1.6MB

MD5
dfd98fdf22cae97d52e93521bb99e42a

SHA1
f554deaf3b169f6a2598d5773087377f94395418

SHA256
6b764143299e51e2fc384012000959ac5eb94f08a0ab405e8d38f0509bfd5328

SHA512
fc56b6d83ff2b1e8b955881dc49a5d117002b62f0579d681d84a27370f84cc1ecdc56f06593b6bdfdb4b3e39af1df610943d9723ead48c7f4b2d64c4aa3b5679

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WinRAR.4.11.x64.en.exe

Filesize
1.6MB

MD5
dfd98fdf22cae97d52e93521bb99e42a

SHA1
f554deaf3b169f6a2598d5773087377f94395418

SHA256
6b764143299e51e2fc384012000959ac5eb94f08a0ab405e8d38f0509bfd5328

SHA512
fc56b6d83ff2b1e8b955881dc49a5d117002b62f0579d681d84a27370f84cc1ecdc56f06593b6bdfdb4b3e39af1df610943d9723ead48c7f4b2d64c4aa3b5679

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe

Filesize
157KB

MD5
1b65568bc870cca49117f9ebb3cd2d59

SHA1
8221ed9e44ff774c170f8c95f42133b305df6a4d

SHA256
87027d70026820e045d60273da56dcd87b79201857e5884502ee06d2a5258e42

SHA512
9791d13ab9542d813be3639b5a15b425fcd744526d16d2cf04055ad387e63540cd4fdab8e31403107536d9f4dfd3c5afc132158449312bab03204f52c61ad868

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe

Filesize
157KB

MD5
1b65568bc870cca49117f9ebb3cd2d59

SHA1
8221ed9e44ff774c170f8c95f42133b305df6a4d

SHA256
87027d70026820e045d60273da56dcd87b79201857e5884502ee06d2a5258e42

SHA512
9791d13ab9542d813be3639b5a15b425fcd744526d16d2cf04055ad387e63540cd4fdab8e31403107536d9f4dfd3c5afc132158449312bab03204f52c61ad868

Download Submit
memory/8-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/8-140-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3696-135-0x0000000072920000-0x0000000072ED1000-memory.dmp

Filesize
5.7MB

Download
memory/3696-139-0x0000000072920000-0x0000000072ED1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing