isrstealer | 65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc

Analysis

max time kernel
170s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe
Size

917KB
MD5

76b2dba6a43492e10550b9a10c2368d0
SHA1

411020a85f69db023ebd0f8bc7517cd5f81b7cf2
SHA256

65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc
SHA512

1912b5f7578e7bcd7daf80a3c88ceb533e3212247afd48a5c1d31a4d936219fa31fdabc92e6341ca92d1970e9383e2c571854f7c8ebd37c96a4def836039d751
SSDEEP

24576:v2O/Glwf/Rs5d0EVl1HUmPi0i3/7g6zwzRQegxP2y:hRizZ3q0i3/5k1ty

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3708-146-0x0000000000400000-0x0000000000456000-memory.dmp	family_isrstealer
behavioral2/memory/3708-149-0x0000000000400000-0x0000000000456000-memory.dmp	family_isrstealer
behavioral2/memory/3708-159-0x0000000000400000-0x0000000000456000-memory.dmp	family_isrstealer
behavioral2/memory/3708-161-0x0000000000400000-0x0000000000456000-memory.dmp	family_isrstealer
behavioral2/memory/3708-169-0x0000000000400000-0x0000000000456000-memory.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4980-167-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4980-168-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4980-167-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4980-168-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

917966.exe917966.exeRegSvcs.exeRegSvcs.exeRegSvcs.exe

pid process

2512 917966.exe
3408 917966.exe
3708 RegSvcs.exe
4992 RegSvcs.exe
4980 RegSvcs.exe

pid	process
2512	917966.exe
3408	917966.exe
3708	RegSvcs.exe
4992	RegSvcs.exe
4980	RegSvcs.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4992-153-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4992-156-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4992-157-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4992-158-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4980-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4980-166-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4980-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4980-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

917966.exeRegSvcs.exe

description	pid	process	target process
PID 3408 set thread context of 3708	3408	917966.exe	RegSvcs.exe
PID 3708 set thread context of 4992	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 set thread context of 4980	3708	RegSvcs.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

3708 RegSvcs.exe

pid	process
3708	RegSvcs.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exeWScript.exe917966.exe917966.exeRegSvcs.exe

description	pid	process	target process
PID 4616 wrote to memory of 3880	4616	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe	WScript.exe
PID 4616 wrote to memory of 3880	4616	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe	WScript.exe
PID 4616 wrote to memory of 3880	4616	65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe	WScript.exe
PID 3880 wrote to memory of 2512	3880	WScript.exe	917966.exe
PID 3880 wrote to memory of 2512	3880	WScript.exe	917966.exe
PID 3880 wrote to memory of 2512	3880	WScript.exe	917966.exe
PID 2512 wrote to memory of 3408	2512	917966.exe	917966.exe
PID 2512 wrote to memory of 3408	2512	917966.exe	917966.exe
PID 2512 wrote to memory of 3408	2512	917966.exe	917966.exe
PID 3408 wrote to memory of 3708	3408	917966.exe	RegSvcs.exe
PID 3408 wrote to memory of 3708	3408	917966.exe	RegSvcs.exe
PID 3408 wrote to memory of 3708	3408	917966.exe	RegSvcs.exe
PID 3408 wrote to memory of 3708	3408	917966.exe	RegSvcs.exe
PID 3408 wrote to memory of 3708	3408	917966.exe	RegSvcs.exe
PID 3708 wrote to memory of 4992	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4992	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4992	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4992	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4992	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4992	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4992	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4992	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4980	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4980	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4980	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4980	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4980	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4980	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4980	3708	RegSvcs.exe	RegSvcs.exe
PID 3708 wrote to memory of 4980	3708	RegSvcs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe
"C:\Users\Admin\AppData\Local\Temp\65bb3153a497d25ed7574fe76e95732660d94965613bff11ba728d7251177ebc.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\ZJYAC\file.vbs" 7263
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Users\Admin\ZJYAC\917966.exe
    "C:\Users\Admin\ZJYAC\917966.exe" 74091.HBY
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\ZJYAC\917966.exe
      917966.exe IHECWTIA.dat
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3708
      - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Gr6jVBHxkv.ini"
        6⤵
        Executes dropped EXE
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\SDoOpPeuOb.ini"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gr6jVBHxkv.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
45KB

MD5
c58203454914dff2e952a8709c485114

SHA1
48989f1fc6b9345c70a468f67e0f793e7e827fed

SHA256
5cec423dc700da5b7db5c7e65dc8091b46f0d9317e96ac22a03f5d7e94e51186

SHA512
ec09612b8634fcdd48df702572756d4fbc328063c74ee2cc52b85a19549a5cf7acc6d9466ff5e2be7dacdd896380add593e20688630e798cf03e67a77a3a557b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
45KB

MD5
c58203454914dff2e952a8709c485114

SHA1
48989f1fc6b9345c70a468f67e0f793e7e827fed

SHA256
5cec423dc700da5b7db5c7e65dc8091b46f0d9317e96ac22a03f5d7e94e51186

SHA512
ec09612b8634fcdd48df702572756d4fbc328063c74ee2cc52b85a19549a5cf7acc6d9466ff5e2be7dacdd896380add593e20688630e798cf03e67a77a3a557b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
45KB

MD5
c58203454914dff2e952a8709c485114

SHA1
48989f1fc6b9345c70a468f67e0f793e7e827fed

SHA256
5cec423dc700da5b7db5c7e65dc8091b46f0d9317e96ac22a03f5d7e94e51186

SHA512
ec09612b8634fcdd48df702572756d4fbc328063c74ee2cc52b85a19549a5cf7acc6d9466ff5e2be7dacdd896380add593e20688630e798cf03e67a77a3a557b

Download Submit
C:\Users\Admin\ZJYAC\12474.dat

Filesize
340KB

MD5
acb220aeb0f32a4478c4eeca3f19622b

SHA1
f54c316409875113aa966c52c90198d2698ae8ec

SHA256
9eaaae5b4b088813d0cc2ace75bcf8fa2a55c33eb81797ca7a6c254a12030852

SHA512
b7a25605c39d4a2c960479f17deb47b9be531f7dba63426947eb147a4652a48e0ff0428a2680d59f038adc0af2af12d3c6eb7bedc4b98e921cf472c675f43e77

Download Submit
C:\Users\Admin\ZJYAC\412492.dat

Filesize
27KB

MD5
0e43e41307c8f998951a68e84b165b8a

SHA1
07f5cc5855e35c13834a57daad287ae1fc4ea842

SHA256
eba0934d415383c54ba5d4f16c6c33352a93b25f434641c84685d195cb439def

SHA512
4d359dc8fa7a6a94b04b8152b74240159308db637c896c174c23cacbc072f8a694dc3aa1e321d8232213bd8f34e27c1b4e493ef1dad0d0e93027bacb99eef65e

Download Submit
C:\Users\Admin\ZJYAC\74091.HBY

Filesize
4.2MB

MD5
81ebb2af1aeccdc3d0f960063892ba35

SHA1
c66f9f0a9bf8f1411cd5c698627761e4c0142144

SHA256
fd8a0f2147c349dd35b1c7eb1c26061ec86df4acc7d40cc7be0450af587a6a40

SHA512
c59589b2a18fd0fb684e9f0cc648339c3ff84de95e67313cafc01b0948e2f75312656e133489c76b9b861270a3652a0ca16547763beaa588754abc8cd998fe18

Download Submit
C:\Users\Admin\ZJYAC\917966.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\ZJYAC\917966.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\ZJYAC\917966.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\ZJYAC\IHECWTIA.dat

Filesize
27KB

MD5
c32aa4d19a4ebeb15884e3a6bebd8af2

SHA1
69e835785f0a2127655d4dbcddb9fcdc9c8766f9

SHA256
95b855811c98e617b2967ea5758efd0e2cd390ffa9060b880b3c93f1221cbe0e

SHA512
841e2f80270680fbbbb41e2d0c42cbc4e628d88f45ac33c4e50df9185180df8a96a7df55c7863abd2b76b846f2b49fc427b50ccaf107c74d623b5fe6caf04cd9

Download Submit
C:\Users\Admin\ZJYAC\NQFLZ

Filesize
1KB

MD5
6a0813d72c638d4d241926354b5b0f82

SHA1
f9fbad3509bcdbdc12388bebae781b0400172a70

SHA256
a1f78c3dcf864a446facdfdec38d32a2b9bb806272ecb16c3d8a0559dfb48fc5

SHA512
493e7a34637705517777c1eda5807cf2fac81a8c8791b04f8c6c42d5797b7e41c0166544c98624b3b6fd98642996f4fb18bf066cf12d6a91b4a3d2aebaeff6a3

Download Submit
C:\Users\Admin\ZJYAC\file.vbs

Filesize
56B

MD5
cbe5ac385bb4ec120cbfd121319e15d5

SHA1
0c10bb8c81fb7619b2bf0a549c8e864d5277b36c

SHA256
cb48873fee78db5d42435889dfaca918252638bc2d588adfcf49888a8207757f

SHA512
9fbf5d3c0e4f3d85508cf55566437293da2f7f2e3947520c90182da5f7460a1b72447b55d7fa82f832f6caed1ace358d2f595f0ce1eba1e05fcaeacc2c7879a0

Download Submit
C:\Users\Admin\ZJYAC\settings.ini

Filesize
129KB

MD5
6cbe6ab01e90d88dec0c9db3b8c3e862

SHA1
d3db5c0aaea7b087d69a0b627013e09ccb4df743

SHA256
6e3b1655ba6bb9f67a824363f0e26146e1ec075cf462ff437bf948a8c59a88b7

SHA512
811ae2f2d99bbb3469a7bbf768c5bff0b61bd020f61420770ce10c5d14de0947f787299863de6a275901d6a53cfba5d3f23ae30f84dc83cc5d685bdef3cfcd2a

Download Submit
memory/2512-135-0x0000000000000000-mapping.dmp

Download
memory/3408-140-0x0000000000000000-mapping.dmp

Download
memory/3708-159-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3708-169-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3708-149-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3708-146-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3708-161-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3708-145-0x0000000000000000-mapping.dmp

Download
memory/3880-132-0x0000000000000000-mapping.dmp

Download
memory/4980-162-0x0000000000000000-mapping.dmp

Download
memory/4980-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4992-158-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4992-157-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4992-156-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4992-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4992-152-0x0000000000000000-mapping.dmp

Download