isrstealer | f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f

Analysis

max time kernel
368s
max time network
411s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe
Size

20.6MB
MD5

c9d30935cb9350dbce1cbfc2ac92dbc5
SHA1

e66ccf6cb22f07c6e80645dd715631dc00293936
SHA256

f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f
SHA512

19d7858888c385b7f1d54fd1ab4cab92a5e07e452b929b6b4004518dec0f54c8f02ebc883992c80cd1e4c83da682f1a73c744e2630278a3947c5955585087847
SSDEEP

49152:GTLnvop5uWKmeI31s85sRK0zVaSU64qRKZCkFMjQeMuSIu1+AtcqzWS:2LdZmW8ux0h64BQkiQeMuSIu1+AOqzv

Score

10^/10

isrstealer persistence stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

resource	yara_rule
behavioral2/memory/2144-135-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/2144-139-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup Key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\autostart.exe"	f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 2144	1816	f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe	84

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2144	vbc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2144	1816	f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe	84
PID 1816 wrote to memory of 2144	1816	f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe	84
PID 1816 wrote to memory of 2144	1816	f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe	84
PID 1816 wrote to memory of 2144	1816	f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe	84
PID 1816 wrote to memory of 2144	1816	f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe	84
PID 1816 wrote to memory of 2144	1816	f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe	84
PID 1816 wrote to memory of 2144	1816	f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe	84
PID 1816 wrote to memory of 2144	1816	f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe	84

C:\Users\Admin\AppData\Local\Temp\f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe
"C:\Users\Admin\AppData\Local\Temp\f91deae6f18054467eafaec13876afe848fd003fcc30b3c1b491c8e5a12d0a2f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1816-132-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/1816-133-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/2144-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download