isrstealer | cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998

General

Target

cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998.exe
Size

239KB
MD5

39e9d0668657ab131ef5d8650afa020d
SHA1

9026cf67443274cb6e0bba6acd681a1a86eca04c
SHA256

cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998
SHA512

05dbca3c3627f6b27988589ff649ff7d74728f49919be19aa5d8f50a513d6a3be2ce8aa9361b46044577ec2813aa20e0f643ce6b73c8bd142386c64562bcfea6
SSDEEP

3072:3KDAfCDSmJkWU2vSVL65GX5SErg7XVIdYjwDGlb6qsVcVyo7M85TnZhtG2ak6oZo:3RKvSVLJ96sYTp6qsVcVDnZhtUO34zJ

Score

10^/10

isrstealer spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4928-143-0x0000000000000000-mapping.dmp	family_isrstealer
behavioral2/memory/4928-144-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/4928-149-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/4928-150-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Executes dropped EXE 3 IoCs

pid	Process
5004	Keygen.exe
4924	cc.exe
4928	cc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000022e12-135.dat	upx
behavioral2/files/0x000a000000022e12-134.dat	upx
behavioral2/memory/5004-141-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral2/memory/5004-142-0x0000000000400000-0x0000000000461000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4924 set thread context of 4928	4924	cc.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4928	cc.exe
4928	cc.exe
4928	cc.exe
4928	cc.exe
4928	cc.exe
4928	cc.exe
4928	cc.exe
4928	cc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4540	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4924	cc.exe
4928	cc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 5004	3356	cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998.exe	81
PID 3356 wrote to memory of 5004	3356	cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998.exe	81
PID 3356 wrote to memory of 5004	3356	cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998.exe	81
PID 3356 wrote to memory of 4924	3356	cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998.exe	82
PID 3356 wrote to memory of 4924	3356	cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998.exe	82
PID 3356 wrote to memory of 4924	3356	cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998.exe	82
PID 4924 wrote to memory of 4928	4924	cc.exe	86
PID 4924 wrote to memory of 4928	4924	cc.exe	86
PID 4924 wrote to memory of 4928	4924	cc.exe	86
PID 4924 wrote to memory of 4928	4924	cc.exe	86
PID 4924 wrote to memory of 4928	4924	cc.exe	86
PID 4924 wrote to memory of 4928	4924	cc.exe	86
PID 4924 wrote to memory of 4928	4924	cc.exe	86
PID 4924 wrote to memory of 4928	4924	cc.exe	86

C:\Users\Admin\AppData\Local\Temp\cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998.exe
"C:\Users\Admin\AppData\Local\Temp\cc5fb50f7f548e289ba543d37515bc8fd42855a6c003351d832545f0353aa998.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\Keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\cc.exe
  "C:\Users\Admin\AppData\Local\Temp\cc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\cc.exe
    "C:\Users\Admin\AppData\Local\Temp\cc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4928

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3cc 0x3c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Keygen.exe

Filesize
142KB

MD5
15b7510eee022821465cc01485e4cad7

SHA1
73f546d57008682ec733ae456b7ac3939fdf3d3a

SHA256
df3998a40ab3e40d18d5251121991a969c0846353bd9f193ecad3e7f2c47f4f3

SHA512
f70862061eb71898e04e2879609dad0775632b5a75b783b681fefb72f791e69034800c62e17224600240e8bbd4ef5344ed3ea36975b5437d96526fb16db41c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keygen.exe

Filesize
142KB

MD5
15b7510eee022821465cc01485e4cad7

SHA1
73f546d57008682ec733ae456b7ac3939fdf3d3a

SHA256
df3998a40ab3e40d18d5251121991a969c0846353bd9f193ecad3e7f2c47f4f3

SHA512
f70862061eb71898e04e2879609dad0775632b5a75b783b681fefb72f791e69034800c62e17224600240e8bbd4ef5344ed3ea36975b5437d96526fb16db41c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc.exe

Filesize
148KB

MD5
3aa7cca7e0022c52755ab9c00431d1fc

SHA1
56db54f8420eacb11b19db6f4035085c93291605

SHA256
0ad52e0b89a1782221aaad8a64dcd50c16ed3128f414dab0d5904fce68bbaa5f

SHA512
6f20129e4c6d04b0f084f2679a0a8b29f4cd81c6956acab87cd545ea54d34721c2c33066a843199a44472f7aa1d0fd034b5fb5ff3e5d2eb82cd2dd66fd6341ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc.exe

Filesize
148KB

MD5
3aa7cca7e0022c52755ab9c00431d1fc

SHA1
56db54f8420eacb11b19db6f4035085c93291605

SHA256
0ad52e0b89a1782221aaad8a64dcd50c16ed3128f414dab0d5904fce68bbaa5f

SHA512
6f20129e4c6d04b0f084f2679a0a8b29f4cd81c6956acab87cd545ea54d34721c2c33066a843199a44472f7aa1d0fd034b5fb5ff3e5d2eb82cd2dd66fd6341ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc.exe

Filesize
148KB

MD5
3aa7cca7e0022c52755ab9c00431d1fc

SHA1
56db54f8420eacb11b19db6f4035085c93291605

SHA256
0ad52e0b89a1782221aaad8a64dcd50c16ed3128f414dab0d5904fce68bbaa5f

SHA512
6f20129e4c6d04b0f084f2679a0a8b29f4cd81c6956acab87cd545ea54d34721c2c33066a843199a44472f7aa1d0fd034b5fb5ff3e5d2eb82cd2dd66fd6341ab

Download Submit
memory/4928-144-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4928-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4928-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5004-142-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/5004-141-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing