isrstealer | ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40

General

Target

ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe
Size

1.1MB
MD5

442987d5f387683241f0fc4451d6505f
SHA1

763925e690da9c4ac9e354d3e974db30149bd9f5
SHA256

ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40
SHA512

b1e3c596d42116e7d014c76de1c868faf86f078a7d102549b84e715d5ac131bcbdbebcb1168e3e1318c7e0774010d50b7a35fa785d7b04f929e1efc1b9c9d641
SSDEEP

24576:Vm9x+JQdTqQ4i8EbtPcFWO0j8ksr7Sk4Lg9eDBbt8dTqQ4iMW:6tTqQ4irPcFOjz67Sk4rVbteTqQ4iMW

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/4708-134-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/4708-144-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/4708-146-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Executes dropped EXE 2 IoCs

pid	Process
4708	svchost.exe
1192	PlayMaxPayne3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3548 set thread context of 4708	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4708	svchost.exe
4708	svchost.exe
4708	svchost.exe
4708	svchost.exe
4708	svchost.exe
4708	svchost.exe
4708	svchost.exe
4708	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1192	PlayMaxPayne3.exe
1192	PlayMaxPayne3.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1192	PlayMaxPayne3.exe
1192	PlayMaxPayne3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4708	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 4708	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	81
PID 3548 wrote to memory of 4708	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	81
PID 3548 wrote to memory of 4708	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	81
PID 3548 wrote to memory of 4708	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	81
PID 3548 wrote to memory of 4708	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	81
PID 3548 wrote to memory of 4708	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	81
PID 3548 wrote to memory of 4708	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	81
PID 3548 wrote to memory of 4708	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	81
PID 3548 wrote to memory of 1192	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	82
PID 3548 wrote to memory of 1192	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	82
PID 3548 wrote to memory of 1192	3548	ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe	82

C:\Users\Admin\AppData\Local\Temp\ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe
"C:\Users\Admin\AppData\Local\Temp\ba3e057e7a823f18733de4b2514968c0e4c95ee146e1235ef583c2ea28fc3b40.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\PlayMaxPayne3.exe
  "C:\Users\Admin\AppData\Local\Temp\PlayMaxPayne3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PlayMaxPayne3.exe

Filesize
990KB

MD5
4ed741a5d519a63d9d91edae48cc9272

SHA1
eddc7167c07053a105fe0965df6dcad256012169

SHA256
0254cc537b52f42d425df86cec596924d79a8e98a4268e7492f4131952417d48

SHA512
cc76e67e9359f48c4c64f564e1d590c8e6bd9e0e00d351cf90c4e9560812b7a7d4b15bafb5a5cc7372644041dc4fe5d95520543b6d5ca9b1df4c4a25eabb2168

Download Submit
C:\Users\Admin\AppData\Local\Temp\PlayMaxPayne3.exe

Filesize
990KB

MD5
4ed741a5d519a63d9d91edae48cc9272

SHA1
eddc7167c07053a105fe0965df6dcad256012169

SHA256
0254cc537b52f42d425df86cec596924d79a8e98a4268e7492f4131952417d48

SHA512
cc76e67e9359f48c4c64f564e1d590c8e6bd9e0e00d351cf90c4e9560812b7a7d4b15bafb5a5cc7372644041dc4fe5d95520543b6d5ca9b1df4c4a25eabb2168

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/1192-145-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-147-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/3548-133-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/3548-143-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4708-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4708-144-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4708-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing