isrstealer | 8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81.exe
Size

915KB
MD5

d5517bed2e8eebb29ed1ac0df1fc0f27
SHA1

a216d852812987b7026148f5cb3df3ebf0d64c80
SHA256

8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81
SHA512

6d39794b8e400701593ec720ab8b6d211804f9a80634a4c68d301fb114054b40c87def9a915c76a226635238c094f0faab402437a7c738cf744e31900580a1c1
SSDEEP

12288:J6Wq4aaE6KwyF5L0Y2D1PqLCL0AyP01MzKoKqEJlOAH3BxvvQTgaA:fthEVaPqLCLqEMuoKqWlOAXzxaA

Score

10^/10

isrstealer stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/1084-58-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1832-55-0x0000000000400000-0x000000000056B000-memory.dmp	upx
behavioral1/memory/1832-60-0x0000000000400000-0x000000000056B000-memory.dmp	upx
behavioral1/memory/1832-61-0x0000000000400000-0x000000000056B000-memory.dmp	upx

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1832-55-0x0000000000400000-0x000000000056B000-memory.dmp	autoit_exe
behavioral1/memory/1832-60-0x0000000000400000-0x000000000056B000-memory.dmp	autoit_exe
behavioral1/memory/1832-61-0x0000000000400000-0x000000000056B000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 1084	1832	8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1084	1832	8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81.exe	27
PID 1832 wrote to memory of 1084	1832	8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81.exe	27
PID 1832 wrote to memory of 1084	1832	8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81.exe	27
PID 1832 wrote to memory of 1084	1832	8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81.exe	27
PID 1832 wrote to memory of 1084	1832	8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81.exe	27
PID 1832 wrote to memory of 1084	1832	8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81.exe	27

C:\Users\Admin\AppData\Local\Temp\8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81.exe
"C:\Users\Admin\AppData\Local\Temp\8b04442da25cfa5698f2ceddb2137c1306d84880a04fa2a2d662090fe23e3e81.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\SysWOW64\calc.exe"
  2⤵
  PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1084-58-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1832-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1832-55-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/1832-60-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/1832-61-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download