isrstealer | 7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474

Analysis

max time kernel
160s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe
Size

7.4MB
MD5

042d8f91b6cf63017646706b74561b27
SHA1

4bfe69b43b1bfe28702a7ef44cc68127b0b5ae05
SHA256

7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474
SHA512

73f68f192ec224a138da103eabb0c885b3a07bfb0bd4f5f5774d1294d614535ffefa58d404c1e9b1e0e9268456a198b81b79008b5dcefdfcd12c1c228e186b92
SSDEEP

196608:pAnqVdHABvooPl0+cTY3tZLJejmOAWx1AtdmCimv/SHqUUHv/Swv/SW45qUUpcQE:+wQ5N0+mYZ1itLAdWm8q/Hz5aq/RC7p

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/444-134-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral2/memory/444-155-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral2/memory/444-168-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/372-164-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/372-166-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3996-146-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/3996-159-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/3996-167-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/3996-146-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/3996-159-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/3960-163-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral2/memory/372-164-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3960-165-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral2/memory/372-166-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3996-167-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

pid	Process
444	cvtres.exe
5116	cvtres.exe
3996	cvtres.exe
3960	cvtres.exe
372	cvtres.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3960-150-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/372-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/372-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3960-161-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3960-163-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/372-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3960-165-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/372-166-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 444	3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe	82
PID 444 set thread context of 5116	444	cvtres.exe	83
PID 5116 set thread context of 3996	5116	cvtres.exe	84
PID 5116 set thread context of 3960	5116	cvtres.exe	85
PID 5116 set thread context of 372	5116	cvtres.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe
3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe
444	cvtres.exe
444	cvtres.exe
444	cvtres.exe
444	cvtres.exe
444	cvtres.exe
444	cvtres.exe
444	cvtres.exe
444	cvtres.exe
3960	cvtres.exe
3960	cvtres.exe
3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe
3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe
Token: SeDebugPrivilege	3960	cvtres.exe
Token: SeDebugPrivilege	3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
444	cvtres.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 444	3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe	82
PID 3060 wrote to memory of 444	3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe	82
PID 3060 wrote to memory of 444	3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe	82
PID 3060 wrote to memory of 444	3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe	82
PID 3060 wrote to memory of 444	3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe	82
PID 3060 wrote to memory of 444	3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe	82
PID 3060 wrote to memory of 444	3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe	82
PID 3060 wrote to memory of 444	3060	7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe	82
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 444 wrote to memory of 5116	444	cvtres.exe	83
PID 5116 wrote to memory of 3996	5116	cvtres.exe	84
PID 5116 wrote to memory of 3996	5116	cvtres.exe	84
PID 5116 wrote to memory of 3996	5116	cvtres.exe	84
PID 5116 wrote to memory of 3996	5116	cvtres.exe	84
PID 5116 wrote to memory of 3996	5116	cvtres.exe	84
PID 5116 wrote to memory of 3960	5116	cvtres.exe	85
PID 5116 wrote to memory of 3960	5116	cvtres.exe	85
PID 5116 wrote to memory of 3960	5116	cvtres.exe	85
PID 5116 wrote to memory of 3960	5116	cvtres.exe	85
PID 5116 wrote to memory of 3960	5116	cvtres.exe	85
PID 5116 wrote to memory of 372	5116	cvtres.exe	86
PID 5116 wrote to memory of 372	5116	cvtres.exe	86
PID 5116 wrote to memory of 372	5116	cvtres.exe	86
PID 5116 wrote to memory of 372	5116	cvtres.exe	86
PID 5116 wrote to memory of 372	5116	cvtres.exe	86

C:\Users\Admin\AppData\Local\Temp\7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe
"C:\Users\Admin\AppData\Local\Temp\7b083e02dacacc8c7e04a9cf71c96ede50190d031e6fd9c5c21db08e80efb474.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\cvtres.exe
  C:\Users\Admin\AppData\Local\Temp\\cvtres.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    "C:\Users\Admin\AppData\Local\Temp\cvtres.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
      4⤵
      Executes dropped EXE
      PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/372-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/444-155-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/444-168-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/444-134-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3060-169-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3060-132-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/3960-163-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3960-165-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3960-161-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3960-150-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3996-159-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3996-167-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3996-146-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5116-144-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5116-141-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5116-158-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5116-143-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download