isrstealer | 7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822

General

Target

7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe
Size

405KB
MD5

99aec7c9dfe5997629865111c661ea3b
SHA1

8de9938997643e618a40c610d58740e992d185b6
SHA256

7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822
SHA512

f721b155bc35f04295961894fcca86d124beb4679431091c13511ff59b26d9476fd27480e02adcdc592d4d0b57a81a0aebc29365b112468599d4f0091ebd04da
SSDEEP

6144:k3Et0r+l3xSv19xRWl8q9BORHuts38YK1F5gGTUwP+WMt0e2q:CEtefvzxclMut6871Ltb2WO0y

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/320-140-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/320-153-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/320-164-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3380-157-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/3380-162-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3380-163-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3380-165-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 4 IoCs

resource	yara_rule
behavioral2/memory/3380-157-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/3380-162-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3380-163-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3380-165-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
4052	BXRll.exe
320	cvtres.exe
3740	cvtres.exe
3380	cvtres.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3740-148-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3740-151-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3740-152-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3740-154-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3740-155-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3380-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3380-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3380-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3380-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3380-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4052 set thread context of 320	4052	BXRll.exe	83
PID 320 set thread context of 3740	320	cvtres.exe	84
PID 320 set thread context of 3380	320	cvtres.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe
File opened for modification	C:\Windows\assembly	7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4052	BXRll.exe
4052	BXRll.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	BXRll.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
320	cvtres.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 4052	524	7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe	82
PID 524 wrote to memory of 4052	524	7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe	82
PID 524 wrote to memory of 4052	524	7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe	82
PID 4052 wrote to memory of 320	4052	BXRll.exe	83
PID 4052 wrote to memory of 320	4052	BXRll.exe	83
PID 4052 wrote to memory of 320	4052	BXRll.exe	83
PID 4052 wrote to memory of 320	4052	BXRll.exe	83
PID 4052 wrote to memory of 320	4052	BXRll.exe	83
PID 4052 wrote to memory of 320	4052	BXRll.exe	83
PID 4052 wrote to memory of 320	4052	BXRll.exe	83
PID 4052 wrote to memory of 320	4052	BXRll.exe	83
PID 320 wrote to memory of 3740	320	cvtres.exe	84
PID 320 wrote to memory of 3740	320	cvtres.exe	84
PID 320 wrote to memory of 3740	320	cvtres.exe	84
PID 320 wrote to memory of 3740	320	cvtres.exe	84
PID 320 wrote to memory of 3740	320	cvtres.exe	84
PID 320 wrote to memory of 3740	320	cvtres.exe	84
PID 320 wrote to memory of 3740	320	cvtres.exe	84
PID 320 wrote to memory of 3740	320	cvtres.exe	84
PID 320 wrote to memory of 3380	320	cvtres.exe	88
PID 320 wrote to memory of 3380	320	cvtres.exe	88
PID 320 wrote to memory of 3380	320	cvtres.exe	88
PID 320 wrote to memory of 3380	320	cvtres.exe	88
PID 320 wrote to memory of 3380	320	cvtres.exe	88
PID 320 wrote to memory of 3380	320	cvtres.exe	88
PID 320 wrote to memory of 3380	320	cvtres.exe	88
PID 320 wrote to memory of 3380	320	cvtres.exe	88

C:\Users\Admin\AppData\Local\Temp\7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe
"C:\Users\Admin\AppData\Local\Temp\7928dac0e4bbbcd00a01f766eaf89e1469e7eb8e5f46d2015f67e8c5dd045822.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\BXRll.exe
  "C:\Users\Admin\AppData\Local\Temp\BXRll.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    C:\Users\Admin\AppData\Local\Temp\\cvtres.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\5ZaZCUCit8.ini"
      4⤵
      Executes dropped EXE
      PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\ETLpIZUSZc.ini"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      PID:3380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ZaZCUCit8.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BXRll.exe

Filesize
331KB

MD5
79476ffeb7955a1e51f50c439b10e43e

SHA1
f7e8a21b51bb2def7487f9088a8c81a34a636f1d

SHA256
514900a512a713a93f6972676f74caa2d9a2a9b4682058bceb476335505fad06

SHA512
ab870b55ed2618946fd8be64deb935617176b0ed797c480a4e97546229f85f34342633b7d28f2209572ef39a97a6d3d7265c157448c83fa0087ff9a31354b943

Download Submit
C:\Users\Admin\AppData\Local\Temp\BXRll.exe

Filesize
331KB

MD5
79476ffeb7955a1e51f50c439b10e43e

SHA1
f7e8a21b51bb2def7487f9088a8c81a34a636f1d

SHA256
514900a512a713a93f6972676f74caa2d9a2a9b4682058bceb476335505fad06

SHA512
ab870b55ed2618946fd8be64deb935617176b0ed797c480a4e97546229f85f34342633b7d28f2209572ef39a97a6d3d7265c157448c83fa0087ff9a31354b943

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/320-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/320-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/320-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-137-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/524-132-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/524-133-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/3380-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3380-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3380-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3380-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3380-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3740-154-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3740-155-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3740-151-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3740-148-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3740-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4052-145-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download
memory/4052-139-0x0000000075280000-0x0000000075831000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing