isrstealer | 764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6

General

Target

764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe
Size

6.9MB
MD5

5440281fafbdd4309fc5fb1724af11d2
SHA1

14a521a069a5d0099ca454fc0b2aa740b7b41fc7
SHA256

764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6
SHA512

c6079f9ce8fe8ebbc39b84014bc955d8d732e60ff663bea342850241df9faaeed2331c0ed26bf52f92f1d6d9eaf833b2e9d599bbca4115f21c4d223918f633f4
SSDEEP

196608:ycnG9S9X4YJbM5M6i4XvLsLvZLCmyhh4Gt/OvnxusX7:NnG96q5M6irhmmyhhncn5r

Score

10^/10

isrstealer aspackv2 spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3448-147-0x0000000000400000-0x0000000000418000-memory.dmp	family_isrstealer
behavioral2/memory/3448-151-0x0000000000400000-0x0000000000418000-memory.dmp	family_isrstealer
behavioral2/memory/3448-152-0x0000000000400000-0x0000000000418000-memory.dmp	family_isrstealer

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral2/files/0x000c000000022e0a-134.dat	aspack_v212_v242
behavioral2/files/0x000c000000022e0a-133.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

DVDFab.exexx.exexx.exe

pid	Process
2584	DVDFab.exe
4292	xx.exe
3448	xx.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000022e0e-136.dat	upx
behavioral2/files/0x0007000000022e0e-137.dat	upx
behavioral2/memory/4292-139-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/3448-143-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x0007000000022e0e-144.dat	upx
behavioral2/memory/3448-146-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3448-147-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4292-150-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral2/memory/3448-151-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3448-152-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

xx.exe

description	pid	Process	procid_target
PID 4292 set thread context of 3448	4292	xx.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

xx.exe

pid	Process
3448	xx.exe
3448	xx.exe
3448	xx.exe
3448	xx.exe
3448	xx.exe
3448	xx.exe
3448	xx.exe
3448	xx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

xx.exexx.exe

pid	Process
4292	xx.exe
3448	xx.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exexx.exe

description	pid	Process	procid_target
PID 4112 wrote to memory of 2584	4112	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	85
PID 4112 wrote to memory of 2584	4112	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	85
PID 4112 wrote to memory of 2584	4112	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	85
PID 4112 wrote to memory of 4292	4112	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	86
PID 4112 wrote to memory of 4292	4112	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	86
PID 4112 wrote to memory of 4292	4112	764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe	86
PID 4292 wrote to memory of 3448	4292	xx.exe	87
PID 4292 wrote to memory of 3448	4292	xx.exe	87
PID 4292 wrote to memory of 3448	4292	xx.exe	87
PID 4292 wrote to memory of 3448	4292	xx.exe	87
PID 4292 wrote to memory of 3448	4292	xx.exe	87
PID 4292 wrote to memory of 3448	4292	xx.exe	87
PID 4292 wrote to memory of 3448	4292	xx.exe	87
PID 4292 wrote to memory of 3448	4292	xx.exe	87

C:\Users\Admin\AppData\Local\Temp\764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe
"C:\Users\Admin\AppData\Local\Temp\764707b35588d5f7115cf414a042d0f5d0e49b34dfc2d88e5a279ed1339dd3a6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\DVDFab.exe
  "C:\Users\Admin\AppData\Local\Temp\DVDFab.exe"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\xx.exe
  "C:\Users\Admin\AppData\Local\Temp\xx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\xx.exe
    "C:\Users\Admin\AppData\Local\Temp\xx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DVDFab.exe

Filesize
6.8MB

MD5
b725ff3e2b31df2195cc702a3ca3d588

SHA1
8331c6fd6493e558431f5be26d823fb2f0021bae

SHA256
08c53410e20910b0bd9d83ef6c2eb4f26210953fc151715be4b7c029b7329594

SHA512
c762a47909a422e3eb8870d2b9c72f54b53f3ba456dbf39a9afefed4430bab2477058b72a0896a1e956fd6f317676115c4305d4c6ec97a923eaefca06abe46eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVDFab.exe

Filesize
6.8MB

MD5
b725ff3e2b31df2195cc702a3ca3d588

SHA1
8331c6fd6493e558431f5be26d823fb2f0021bae

SHA256
08c53410e20910b0bd9d83ef6c2eb4f26210953fc151715be4b7c029b7329594

SHA512
c762a47909a422e3eb8870d2b9c72f54b53f3ba456dbf39a9afefed4430bab2477058b72a0896a1e956fd6f317676115c4305d4c6ec97a923eaefca06abe46eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.exe

Filesize
135KB

MD5
3e1e1fb050ac689fa976dd7e609da144

SHA1
492236ddd4f02a9a6e19dda741ea9214d312ad8e

SHA256
870fde24efd33834476251fda9f8e3b5b91bfedc113871b5556928e497105c6a

SHA512
b1724000e88c6b36f46f2ac09a83462227c330fb1d62a967d422539350da4a52f5c6a67bd98bdf2368ce05066f9096e1c1b640b9b22248729fd470fb906960e6

Download Submit
memory/2584-132-0x0000000000000000-mapping.dmp

Download
memory/2584-138-0x0000000000400000-0x00000000016F5000-memory.dmp

Filesize
19.0MB

Download
memory/3448-142-0x0000000000000000-mapping.dmp

Download
memory/3448-143-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3448-146-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3448-147-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3448-151-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3448-152-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4292-139-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4292-135-0x0000000000000000-mapping.dmp

Download
memory/4292-150-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads