isrstealer | dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8

Analysis

max time kernel
169s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8.exe
Size

524KB
MD5

26f70cf2e0b7feddc75e162ce6c5d778
SHA1

604c1ea6e9451e2c7db2e02be4652d48405bbb4d
SHA256

dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8
SHA512

ff6c492889e5f69b84482d85d17c637af7203c66c25eb5f4934e420e457ec02398d409a9eb7c151d0de7755a2a424b48cacf61c44d73a285f9ad7f33610b2d4f
SSDEEP

3072:VCFPHBHjCFPHBHhCFPHBHjCFPHBHdBfXozNtBu4f+m3gFCDWzey2ObeOJjqrHbly:hBINzr3+5zeDObzJWHblqcH8

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e37-139.dat	family_isrstealer
behavioral2/files/0x0006000000022e37-140.dat	family_isrstealer

Executes dropped EXE 2 IoCs

pid	Process
1732	nsrss.exe
1672	csrss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\nsrss.exe	dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8.exe
File opened for modification	C:\Windows\csrss.exe	dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe
1672	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1868	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1868	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1420	dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8.exe
1672	csrss.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1732	1420	dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8.exe	83
PID 1420 wrote to memory of 1732	1420	dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8.exe	83
PID 1420 wrote to memory of 1672	1420	dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8.exe	84
PID 1420 wrote to memory of 1672	1420	dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8.exe	84
PID 1420 wrote to memory of 1672	1420	dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8.exe	84

C:\Users\Admin\AppData\Local\Temp\dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8.exe
"C:\Users\Admin\AppData\Local\Temp\dac59c62d45ca92d45f8f5ce05768c3b1a1396ca2a778473578312d7cb48e9d8.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\nsrss.exe
  C:\Windows/nsrss.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\csrss.exe
  C:\Windows/csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1672

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\csrss.exe

Filesize
76KB

MD5
d9b774377a16e4b04cb6504bbda13203

SHA1
bdd66993c87ba8a6db0e331d3f38828ffcb88915

SHA256
cc4eea1851415edcad4c19c80c227e40e807b740671f2f0350cb5c9d7366e937

SHA512
80b971fd80ca790ce5760519f7d6996f0f5cdcf5dcd3172604b6c4bc2e83f08912d8d856045fc212a6d3ce3ebf047355011033562c2ba2fe4a269fbac2a25991

Download Submit
C:\Windows\csrss.exe

Filesize
76KB

MD5
d9b774377a16e4b04cb6504bbda13203

SHA1
bdd66993c87ba8a6db0e331d3f38828ffcb88915

SHA256
cc4eea1851415edcad4c19c80c227e40e807b740671f2f0350cb5c9d7366e937

SHA512
80b971fd80ca790ce5760519f7d6996f0f5cdcf5dcd3172604b6c4bc2e83f08912d8d856045fc212a6d3ce3ebf047355011033562c2ba2fe4a269fbac2a25991

Download Submit
C:\Windows\nsrss.exe

Filesize
429KB

MD5
b8d03e2797b629b60946dddbfc64cd52

SHA1
39f98856cfeda2f22b7ed67056e7e4a122bf1aca

SHA256
8eba48a4967b9489ac10ab79a144d773db81bc496244f28171b2b4b38e3014c1

SHA512
e74ba1a3b70917254f0839a56ad7e45deb5e20bdc0eeedebbed13c8e4bc2423a09ebd7a137d5185c15b5b0c67a1a37daa94e63baae825dfd4417db6fb9d6ddb6

Download Submit
C:\Windows\nsrss.exe

Filesize
429KB

MD5
b8d03e2797b629b60946dddbfc64cd52

SHA1
39f98856cfeda2f22b7ed67056e7e4a122bf1aca

SHA256
8eba48a4967b9489ac10ab79a144d773db81bc496244f28171b2b4b38e3014c1

SHA512
e74ba1a3b70917254f0839a56ad7e45deb5e20bdc0eeedebbed13c8e4bc2423a09ebd7a137d5185c15b5b0c67a1a37daa94e63baae825dfd4417db6fb9d6ddb6

Download Submit
memory/1732-137-0x00007FF80B750000-0x00007FF80C186000-memory.dmp

Filesize
10.2MB

Download