isrstealer | 764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6

Analysis

max time kernel
28s
max time network
67s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe
Size

6.9MB
MD5

5440281fafbdd4309fc5fb1724af11d2
SHA1

14a521a069a5d0099ca454fc0b2aa740b7b41fc7
SHA256

764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6
SHA512

c6079f9ce8fe8ebbc39b84014bc955d8d732e60ff663bea342850241df9faaeed2331c0ed26bf52f92f1d6d9eaf833b2e9d599bbca4115f21c4d223918f633f4
SSDEEP

196608:ycnG9S9X4YJbM5M6i4XvLsLvZLCmyhh4Gt/OvnxusX7:NnG96q5M6irhmmyhhncn5r

Score

10^/10

isrstealer aspackv2 spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1692-89-0x0000000000400000-0x0000000000418000-memory.dmp	family_isrstealer
behavioral1/memory/1692-94-0x0000000000400000-0x0000000000418000-memory.dmp	family_isrstealer
behavioral1/memory/1692-95-0x0000000000400000-0x0000000000418000-memory.dmp	family_isrstealer

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x000d0000000054a8-55.dat	aspack_v212_v242
behavioral1/files/0x000d0000000054a8-56.dat	aspack_v212_v242
behavioral1/files/0x000d0000000054a8-58.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

DVDFab.exexx.exexx.exe

pid	Process
1060	DVDFab.exe
2024	xx.exe
1692	xx.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000a00000001339d-60.dat	upx
behavioral1/files/0x000a00000001339d-59.dat	upx
behavioral1/files/0x000a00000001339d-63.dat	upx
behavioral1/files/0x000a00000001339d-65.dat	upx
behavioral1/files/0x000a00000001339d-66.dat	upx
behavioral1/files/0x000a00000001339d-68.dat	upx
behavioral1/files/0x000a00000001339d-67.dat	upx
behavioral1/memory/2024-70-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2024-75-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/files/0x000a00000001339d-76.dat	upx
behavioral1/memory/1692-77-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000a00000001339d-79.dat	upx
behavioral1/memory/1692-82-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2024-81-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/files/0x000a00000001339d-84.dat	upx
behavioral1/files/0x000a00000001339d-85.dat	upx
behavioral1/files/0x000a00000001339d-86.dat	upx
behavioral1/memory/1692-88-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1692-89-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1692-94-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1692-95-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Loads dropped DLL 11 IoCs

Processes:

764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exexx.exexx.exe

pid	Process
2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe
2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe
2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe
2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe
2024	xx.exe
2024	xx.exe
2024	xx.exe
2024	xx.exe
1692	xx.exe
1692	xx.exe
1692	xx.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

xx.exe

description	pid	Process	procid_target
PID 2024 set thread context of 1692	2024	xx.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

xx.exe

pid	Process
1692	xx.exe
1692	xx.exe
1692	xx.exe
1692	xx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

xx.exexx.exe

pid	Process
2024	xx.exe
1692	xx.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exexx.exe

description	pid	Process	procid_target
PID 2036 wrote to memory of 1060	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	27
PID 2036 wrote to memory of 1060	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	27
PID 2036 wrote to memory of 1060	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	27
PID 2036 wrote to memory of 1060	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	27
PID 2036 wrote to memory of 1060	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	27
PID 2036 wrote to memory of 1060	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	27
PID 2036 wrote to memory of 1060	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	27
PID 2036 wrote to memory of 2024	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	28
PID 2036 wrote to memory of 2024	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	28
PID 2036 wrote to memory of 2024	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	28
PID 2036 wrote to memory of 2024	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	28
PID 2036 wrote to memory of 2024	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	28
PID 2036 wrote to memory of 2024	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	28
PID 2036 wrote to memory of 2024	2036	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	28
PID 2024 wrote to memory of 1692	2024	xx.exe	29
PID 2024 wrote to memory of 1692	2024	xx.exe	29
PID 2024 wrote to memory of 1692	2024	xx.exe	29
PID 2024 wrote to memory of 1692	2024	xx.exe	29
PID 2024 wrote to memory of 1692	2024	xx.exe	29
PID 2024 wrote to memory of 1692	2024	xx.exe	29
PID 2024 wrote to memory of 1692	2024	xx.exe	29
PID 2024 wrote to memory of 1692	2024	xx.exe	29
PID 2024 wrote to memory of 1692	2024	xx.exe	29
PID 2024 wrote to memory of 1692	2024	xx.exe	29
PID 2024 wrote to memory of 1692	2024	xx.exe	29
PID 2024 wrote to memory of 1692	2024	xx.exe	29

C:\Users\Admin\AppData\Local\Temp\764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe
"C:\Users\Admin\AppData\Local\Temp\764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\DVDFab.exe
  "C:\Users\Admin\AppData\Local\Temp\DVDFab.exe"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\xx.exe
  "C:\Users\Admin\AppData\Local\Temp\xx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\xx.exe
    "C:\Users\Admin\AppData\Local\Temp\xx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DVDFab.exe

Filesize
6.8MB

MD5
b725ff3e2b31df2195cc702a3ca3d588

SHA1
8331c6fd6493e558431f5be26d823fb2f0021bae

SHA256
08c53410e20910b0bd9d83ef6c2eb4f26210953fc151715be4b7c029b7329594

SHA512
c762a47909a422e3eb8870d2b9c72f54b53f3ba456dbf39a9afefed4430bab2477058b72a0896a1e956fd6f317676115c4305d4c6ec97a923eaefca06abe46eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
\Users\Admin\AppData\Local\Temp\DVDFab.exe

Filesize
6.8MB

MD5
b725ff3e2b31df2195cc702a3ca3d588

SHA1
8331c6fd6493e558431f5be26d823fb2f0021bae

SHA256
08c53410e20910b0bd9d83ef6c2eb4f26210953fc151715be4b7c029b7329594

SHA512
c762a47909a422e3eb8870d2b9c72f54b53f3ba456dbf39a9afefed4430bab2477058b72a0896a1e956fd6f317676115c4305d4c6ec97a923eaefca06abe46eb

Download Submit
\Users\Admin\AppData\Local\Temp\DVDFab.exe

Filesize
6.8MB

MD5
b725ff3e2b31df2195cc702a3ca3d588

SHA1
8331c6fd6493e558431f5be26d823fb2f0021bae

SHA256
08c53410e20910b0bd9d83ef6c2eb4f26210953fc151715be4b7c029b7329594

SHA512
c762a47909a422e3eb8870d2b9c72f54b53f3ba456dbf39a9afefed4430bab2477058b72a0896a1e956fd6f317676115c4305d4c6ec97a923eaefca06abe46eb

Download Submit
\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
memory/1060-69-0x0000000000400000-0x00000000016F5000-memory.dmp

Filesize
19.0MB

Download
memory/1060-57-0x0000000000000000-mapping.dmp

Download
memory/1692-94-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1692-89-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1692-77-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1692-78-0x0000000000415920-mapping.dmp

Download
memory/1692-92-0x0000000000880000-0x00000000008FE000-memory.dmp

Filesize
504KB

Download
memory/1692-82-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1692-88-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1692-93-0x0000000000880000-0x00000000008FE000-memory.dmp

Filesize
504KB

Download
memory/1692-95-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2024-61-0x0000000000000000-mapping.dmp

Download
memory/2024-81-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2024-75-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2024-74-0x00000000008E0000-0x000000000095E000-memory.dmp

Filesize
504KB

Download
memory/2024-73-0x00000000008E0000-0x000000000095E000-memory.dmp

Filesize
504KB

Download
memory/2024-70-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2036-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download