isrstealer | 65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc

Analysis

max time kernel
40s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe
Size

917KB
MD5

76b2dba6a43492e10550b9a10c2368d0
SHA1

411020a85f69db023ebd0f8bc7517cd5f81b7cf2
SHA256

65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc
SHA512

1912b5f7578e7bcd7daf80a3c88ceb533e3212247afd48a5c1d31a4d936219fa31fdabc92e6341ca92d1970e9383e2c571854f7c8ebd37c96a4def836039d751
SSDEEP

24576:v2O/Glwf/Rs5d0EVl1HUmPi0i3/7g6zwzRQegxP2y:hRizZ3q0i3/5k1ty

Score

10^/10

isrstealer stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/840-76-0x0000000000400000-0x0000000000456000-memory.dmp	family_isrstealer
behavioral1/memory/840-77-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral1/memory/840-89-0x0000000000400000-0x0000000000456000-memory.dmp	family_isrstealer
behavioral1/memory/840-94-0x0000000000400000-0x0000000000456000-memory.dmp	family_isrstealer

Executes dropped EXE 5 IoCs

pid	Process
1376	917966.exe
1276	917966.exe
840	RegSvcs.exe
1996	RegSvcs.exe
1036	RegSvcs.exe

Loads dropped DLL 5 IoCs

pid	Process
916	WScript.exe
1376	917966.exe
1276	917966.exe
840	RegSvcs.exe
840	RegSvcs.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1276 set thread context of 840	1276	917966.exe	30
PID 840 set thread context of 1996	840	RegSvcs.exe	31
PID 840 set thread context of 1036	840	RegSvcs.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
840	RegSvcs.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 916	1940	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe	27
PID 1940 wrote to memory of 916	1940	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe	27
PID 1940 wrote to memory of 916	1940	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe	27
PID 1940 wrote to memory of 916	1940	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe	27
PID 1940 wrote to memory of 916	1940	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe	27
PID 1940 wrote to memory of 916	1940	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe	27
PID 1940 wrote to memory of 916	1940	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe	27
PID 916 wrote to memory of 1376	916	WScript.exe	28
PID 916 wrote to memory of 1376	916	WScript.exe	28
PID 916 wrote to memory of 1376	916	WScript.exe	28
PID 916 wrote to memory of 1376	916	WScript.exe	28
PID 916 wrote to memory of 1376	916	WScript.exe	28
PID 916 wrote to memory of 1376	916	WScript.exe	28
PID 916 wrote to memory of 1376	916	WScript.exe	28
PID 1376 wrote to memory of 1276	1376	917966.exe	29
PID 1376 wrote to memory of 1276	1376	917966.exe	29
PID 1376 wrote to memory of 1276	1376	917966.exe	29
PID 1376 wrote to memory of 1276	1376	917966.exe	29
PID 1376 wrote to memory of 1276	1376	917966.exe	29
PID 1376 wrote to memory of 1276	1376	917966.exe	29
PID 1376 wrote to memory of 1276	1376	917966.exe	29
PID 1276 wrote to memory of 840	1276	917966.exe	30
PID 1276 wrote to memory of 840	1276	917966.exe	30
PID 1276 wrote to memory of 840	1276	917966.exe	30
PID 1276 wrote to memory of 840	1276	917966.exe	30
PID 1276 wrote to memory of 840	1276	917966.exe	30
PID 1276 wrote to memory of 840	1276	917966.exe	30
PID 1276 wrote to memory of 840	1276	917966.exe	30
PID 1276 wrote to memory of 840	1276	917966.exe	30
PID 1276 wrote to memory of 840	1276	917966.exe	30
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1996	840	RegSvcs.exe	31
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32
PID 840 wrote to memory of 1036	840	RegSvcs.exe	32

C:\Users\Admin\AppData\Local\Temp\65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe
"C:\Users\Admin\AppData\Local\Temp\65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\ZJYAC\file.vbs" 7263
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\ZJYAC\917966.exe
    "C:\Users\Admin\ZJYAC\917966.exe" 74091.HBY
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Users\Admin\ZJYAC\917966.exe
      917966.exe GHIXDGEM.dat
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\zCULIpGKnI.ini"
        6⤵
        Executes dropped EXE
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\FxKgQCTmla.ini"
        6⤵
        Executes dropped EXE
        
        PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
45KB

MD5
6bf256fbfd5f010d20fff4bc2fd2d48e

SHA1
63ae176b1b6652a8f5d6c9f37baf84e7901d1dda

SHA256
80fbb78df46c6bf35ad55e116326fa9c0f44c89997c762a6d7d97012a671876a

SHA512
6030c6c9b296e22d0d17376e93c732835948ccdc3ace6ed15d5a35475b99dab73e9cb35eb64d6b19e91780f9b8a9ea910c4f756a9c7257a3899d90fe7b54e9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
45KB

MD5
6bf256fbfd5f010d20fff4bc2fd2d48e

SHA1
63ae176b1b6652a8f5d6c9f37baf84e7901d1dda

SHA256
80fbb78df46c6bf35ad55e116326fa9c0f44c89997c762a6d7d97012a671876a

SHA512
6030c6c9b296e22d0d17376e93c732835948ccdc3ace6ed15d5a35475b99dab73e9cb35eb64d6b19e91780f9b8a9ea910c4f756a9c7257a3899d90fe7b54e9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
45KB

MD5
6bf256fbfd5f010d20fff4bc2fd2d48e

SHA1
63ae176b1b6652a8f5d6c9f37baf84e7901d1dda

SHA256
80fbb78df46c6bf35ad55e116326fa9c0f44c89997c762a6d7d97012a671876a

SHA512
6030c6c9b296e22d0d17376e93c732835948ccdc3ace6ed15d5a35475b99dab73e9cb35eb64d6b19e91780f9b8a9ea910c4f756a9c7257a3899d90fe7b54e9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
45KB

MD5
6bf256fbfd5f010d20fff4bc2fd2d48e

SHA1
63ae176b1b6652a8f5d6c9f37baf84e7901d1dda

SHA256
80fbb78df46c6bf35ad55e116326fa9c0f44c89997c762a6d7d97012a671876a

SHA512
6030c6c9b296e22d0d17376e93c732835948ccdc3ace6ed15d5a35475b99dab73e9cb35eb64d6b19e91780f9b8a9ea910c4f756a9c7257a3899d90fe7b54e9b8

Download Submit
C:\Users\Admin\ZJYAC\12474.dat

Filesize
340KB

MD5
acb220aeb0f32a4478c4eeca3f19622b

SHA1
f54c316409875113aa966c52c90198d2698ae8ec

SHA256
9eaaae5b4b088813d0cc2ace75bcf8fa2a55c33eb81797ca7a6c254a12030852

SHA512
b7a25605c39d4a2c960479f17deb47b9be531f7dba63426947eb147a4652a48e0ff0428a2680d59f038adc0af2af12d3c6eb7bedc4b98e921cf472c675f43e77

Download Submit
C:\Users\Admin\ZJYAC\412492.dat

Filesize
27KB

MD5
0e43e41307c8f998951a68e84b165b8a

SHA1
07f5cc5855e35c13834a57daad287ae1fc4ea842

SHA256
eba0934d415383c54ba5d4f16c6c33352a93b25f434641c84685d195cb439def

SHA512
4d359dc8fa7a6a94b04b8152b74240159308db637c896c174c23cacbc072f8a694dc3aa1e321d8232213bd8f34e27c1b4e493ef1dad0d0e93027bacb99eef65e

Download Submit
C:\Users\Admin\ZJYAC\74091.HBY

Filesize
4.2MB

MD5
81ebb2af1aeccdc3d0f960063892ba35

SHA1
c66f9f0a9bf8f1411cd5c698627761e4c0142144

SHA256
fd8a0f2147c349dd35b1c7eb1c26061ec86df4acc7d40cc7be0450af587a6a40

SHA512
c59589b2a18fd0fb684e9f0cc648339c3ff84de95e67313cafc01b0948e2f75312656e133489c76b9b861270a3652a0ca16547763beaa588754abc8cd998fe18

Download Submit
C:\Users\Admin\ZJYAC\917966.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\ZJYAC\917966.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\ZJYAC\917966.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\ZJYAC\GHIXDGEM.dat

Filesize
27KB

MD5
c32aa4d19a4ebeb15884e3a6bebd8af2

SHA1
69e835785f0a2127655d4dbcddb9fcdc9c8766f9

SHA256
95b855811c98e617b2967ea5758efd0e2cd390ffa9060b880b3c93f1221cbe0e

SHA512
841e2f80270680fbbbb41e2d0c42cbc4e628d88f45ac33c4e50df9185180df8a96a7df55c7863abd2b76b846f2b49fc427b50ccaf107c74d623b5fe6caf04cd9

Download Submit
C:\Users\Admin\ZJYAC\NQFLZ

Filesize
1KB

MD5
6a0813d72c638d4d241926354b5b0f82

SHA1
f9fbad3509bcdbdc12388bebae781b0400172a70

SHA256
a1f78c3dcf864a446facdfdec38d32a2b9bb806272ecb16c3d8a0559dfb48fc5

SHA512
493e7a34637705517777c1eda5807cf2fac81a8c8791b04f8c6c42d5797b7e41c0166544c98624b3b6fd98642996f4fb18bf066cf12d6a91b4a3d2aebaeff6a3

Download Submit
C:\Users\Admin\ZJYAC\file.vbs

Filesize
56B

MD5
cbe5ac385bb4ec120cbfd121319e15d5

SHA1
0c10bb8c81fb7619b2bf0a549c8e864d5277b36c

SHA256
cb48873fee78db5d42435889dfaca918252638bc2d588adfcf49888a8207757f

SHA512
9fbf5d3c0e4f3d85508cf55566437293da2f7f2e3947520c90182da5f7460a1b72447b55d7fa82f832f6caed1ace358d2f595f0ce1eba1e05fcaeacc2c7879a0

Download Submit
C:\Users\Admin\ZJYAC\settings.ini

Filesize
129KB

MD5
6cbe6ab01e90d88dec0c9db3b8c3e862

SHA1
d3db5c0aaea7b087d69a0b627013e09ccb4df743

SHA256
6e3b1655ba6bb9f67a824363f0e26146e1ec075cf462ff437bf948a8c59a88b7

SHA512
811ae2f2d99bbb3469a7bbf768c5bff0b61bd020f61420770ce10c5d14de0947f787299863de6a275901d6a53cfba5d3f23ae30f84dc83cc5d685bdef3cfcd2a

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
45KB

MD5
6bf256fbfd5f010d20fff4bc2fd2d48e

SHA1
63ae176b1b6652a8f5d6c9f37baf84e7901d1dda

SHA256
80fbb78df46c6bf35ad55e116326fa9c0f44c89997c762a6d7d97012a671876a

SHA512
6030c6c9b296e22d0d17376e93c732835948ccdc3ace6ed15d5a35475b99dab73e9cb35eb64d6b19e91780f9b8a9ea910c4f756a9c7257a3899d90fe7b54e9b8

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
45KB

MD5
6bf256fbfd5f010d20fff4bc2fd2d48e

SHA1
63ae176b1b6652a8f5d6c9f37baf84e7901d1dda

SHA256
80fbb78df46c6bf35ad55e116326fa9c0f44c89997c762a6d7d97012a671876a

SHA512
6030c6c9b296e22d0d17376e93c732835948ccdc3ace6ed15d5a35475b99dab73e9cb35eb64d6b19e91780f9b8a9ea910c4f756a9c7257a3899d90fe7b54e9b8

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
45KB

MD5
6bf256fbfd5f010d20fff4bc2fd2d48e

SHA1
63ae176b1b6652a8f5d6c9f37baf84e7901d1dda

SHA256
80fbb78df46c6bf35ad55e116326fa9c0f44c89997c762a6d7d97012a671876a

SHA512
6030c6c9b296e22d0d17376e93c732835948ccdc3ace6ed15d5a35475b99dab73e9cb35eb64d6b19e91780f9b8a9ea910c4f756a9c7257a3899d90fe7b54e9b8

Download Submit
\Users\Admin\ZJYAC\917966.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\ZJYAC\917966.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/840-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/840-74-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/840-89-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/840-94-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1940-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download