isrstealer | fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e

Analysis

max time kernel
64s
max time network
92s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 16:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe
Size

596KB
MD5

033f741547a48edc8023c876ff7dcfb6
SHA1

debe8fced7d766edbec240f270140a4d1c2f7b14
SHA256

fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e
SHA512

0ff4fe58fb06c48ad3810c744290953837793c39d08d5fc3971210649bc2d1f9408ae782a15d63b933d1e16acd1fc18bb1e7037f1d6b1e2e2cfc43424403c5f5
SSDEEP

12288:gWfcA5sok1rJNAMPctYC/9HZ3eEAmw3OI:3eoiNL4p/r3eE/+

Score

10^/10

isrstealer bootkit persistence spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/1324-99-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/1324-100-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/1324-101-0x00000000004011F0-mapping.dmp	family_isrstealer
behavioral1/memory/1324-107-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/1324-110-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Executes dropped EXE 3 IoCs

pid	Process
1544	s5iPGegV.exe
1628	s5iPGegV.exe
1324	s5iPGegV.exe

Loads dropped DLL 4 IoCs

pid	Process
948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe
948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe
1544	s5iPGegV.exe
1628	s5iPGegV.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe
File opened for modification	\??\PhysicalDrive0	s5iPGegV.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 948	1948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	28
PID 1544 set thread context of 1628	1544	s5iPGegV.exe	31
PID 1628 set thread context of 1324	1628	s5iPGegV.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1324	s5iPGegV.exe
1324	s5iPGegV.exe
1324	s5iPGegV.exe
1324	s5iPGegV.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2032	DllHost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe
948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe
1544	s5iPGegV.exe
1628	s5iPGegV.exe
1324	s5iPGegV.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 948	1948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	28
PID 1948 wrote to memory of 948	1948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	28
PID 1948 wrote to memory of 948	1948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	28
PID 1948 wrote to memory of 948	1948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	28
PID 1948 wrote to memory of 948	1948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	28
PID 1948 wrote to memory of 948	1948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	28
PID 1948 wrote to memory of 948	1948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	28
PID 1948 wrote to memory of 948	1948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	28
PID 1948 wrote to memory of 948	1948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	28
PID 948 wrote to memory of 1544	948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	30
PID 948 wrote to memory of 1544	948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	30
PID 948 wrote to memory of 1544	948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	30
PID 948 wrote to memory of 1544	948	fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe	30
PID 1544 wrote to memory of 1628	1544	s5iPGegV.exe	31
PID 1544 wrote to memory of 1628	1544	s5iPGegV.exe	31
PID 1544 wrote to memory of 1628	1544	s5iPGegV.exe	31
PID 1544 wrote to memory of 1628	1544	s5iPGegV.exe	31
PID 1544 wrote to memory of 1628	1544	s5iPGegV.exe	31
PID 1544 wrote to memory of 1628	1544	s5iPGegV.exe	31
PID 1544 wrote to memory of 1628	1544	s5iPGegV.exe	31
PID 1544 wrote to memory of 1628	1544	s5iPGegV.exe	31
PID 1544 wrote to memory of 1628	1544	s5iPGegV.exe	31
PID 1628 wrote to memory of 1324	1628	s5iPGegV.exe	32
PID 1628 wrote to memory of 1324	1628	s5iPGegV.exe	32
PID 1628 wrote to memory of 1324	1628	s5iPGegV.exe	32
PID 1628 wrote to memory of 1324	1628	s5iPGegV.exe	32
PID 1628 wrote to memory of 1324	1628	s5iPGegV.exe	32
PID 1628 wrote to memory of 1324	1628	s5iPGegV.exe	32
PID 1628 wrote to memory of 1324	1628	s5iPGegV.exe	32
PID 1628 wrote to memory of 1324	1628	s5iPGegV.exe	32

C:\Users\Admin\AppData\Local\Temp\fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe
"C:\Users\Admin\AppData\Local\Temp\fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe
  "C:\Users\Admin\AppData\Local\Temp\fcea44ccdda5c376d688d6ec36914763bdc510e9816a5ac68725ca8a267f1c5e.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\s5iPGegV.exe
    "C:\Users\Admin\AppData\Local\Temp\s5iPGegV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\s5iPGegV.exe
      "C:\Users\Admin\AppData\Local\Temp\s5iPGegV.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Users\Admin\AppData\Local\Temp\s5iPGegV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\s5iPGegV.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1324

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\happy-new-year-2012.jpg

Filesize
53KB

MD5
31c7d7e1013c03e93c6e871fa7366802

SHA1
1af3a8b96a9a692dc33cf5c9ba341c7b77e846a3

SHA256
a3031f3be792428f74bd6158802f285c826bead7f036957566846951fe25c90d

SHA512
87319a1966f7b0ccf393bde76b3db1e4a1c70f59fb050859fa77175715e9b83d85f62a99742f9aba73e4070c0e8462d25b706079f3d156e12bc35d5b63ca98dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5iPGegV.exe

Filesize
308KB

MD5
388203ee62004d1f99a533ef9743e3f5

SHA1
bd3d4fd6566c24fc38e3a43ae6c98e0df85fbb17

SHA256
127aa4cd1e29db2ea0acf9f0550c1180536a7cb06c7192c1bd328d207bd573f5

SHA512
b78368b4c2cd083bace3a37fa5b7be0cca508af6cd43bb586eaf0a2cc2c7bcee16f6df3e3df4f78d28c4b8c71bc5c7c8f250d32c08a2cdab8e166341e03c2965

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5iPGegV.exe

Filesize
308KB

MD5
388203ee62004d1f99a533ef9743e3f5

SHA1
bd3d4fd6566c24fc38e3a43ae6c98e0df85fbb17

SHA256
127aa4cd1e29db2ea0acf9f0550c1180536a7cb06c7192c1bd328d207bd573f5

SHA512
b78368b4c2cd083bace3a37fa5b7be0cca508af6cd43bb586eaf0a2cc2c7bcee16f6df3e3df4f78d28c4b8c71bc5c7c8f250d32c08a2cdab8e166341e03c2965

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5iPGegV.exe

Filesize
308KB

MD5
388203ee62004d1f99a533ef9743e3f5

SHA1
bd3d4fd6566c24fc38e3a43ae6c98e0df85fbb17

SHA256
127aa4cd1e29db2ea0acf9f0550c1180536a7cb06c7192c1bd328d207bd573f5

SHA512
b78368b4c2cd083bace3a37fa5b7be0cca508af6cd43bb586eaf0a2cc2c7bcee16f6df3e3df4f78d28c4b8c71bc5c7c8f250d32c08a2cdab8e166341e03c2965

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5iPGegV.exe

Filesize
308KB

MD5
388203ee62004d1f99a533ef9743e3f5

SHA1
bd3d4fd6566c24fc38e3a43ae6c98e0df85fbb17

SHA256
127aa4cd1e29db2ea0acf9f0550c1180536a7cb06c7192c1bd328d207bd573f5

SHA512
b78368b4c2cd083bace3a37fa5b7be0cca508af6cd43bb586eaf0a2cc2c7bcee16f6df3e3df4f78d28c4b8c71bc5c7c8f250d32c08a2cdab8e166341e03c2965

Download Submit
\Users\Admin\AppData\Local\Temp\s5iPGegV.exe

Filesize
308KB

MD5
388203ee62004d1f99a533ef9743e3f5

SHA1
bd3d4fd6566c24fc38e3a43ae6c98e0df85fbb17

SHA256
127aa4cd1e29db2ea0acf9f0550c1180536a7cb06c7192c1bd328d207bd573f5

SHA512
b78368b4c2cd083bace3a37fa5b7be0cca508af6cd43bb586eaf0a2cc2c7bcee16f6df3e3df4f78d28c4b8c71bc5c7c8f250d32c08a2cdab8e166341e03c2965

Download Submit
\Users\Admin\AppData\Local\Temp\s5iPGegV.exe

Filesize
308KB

MD5
388203ee62004d1f99a533ef9743e3f5

SHA1
bd3d4fd6566c24fc38e3a43ae6c98e0df85fbb17

SHA256
127aa4cd1e29db2ea0acf9f0550c1180536a7cb06c7192c1bd328d207bd573f5

SHA512
b78368b4c2cd083bace3a37fa5b7be0cca508af6cd43bb586eaf0a2cc2c7bcee16f6df3e3df4f78d28c4b8c71bc5c7c8f250d32c08a2cdab8e166341e03c2965

Download Submit
\Users\Admin\AppData\Local\Temp\s5iPGegV.exe

Filesize
308KB

MD5
388203ee62004d1f99a533ef9743e3f5

SHA1
bd3d4fd6566c24fc38e3a43ae6c98e0df85fbb17

SHA256
127aa4cd1e29db2ea0acf9f0550c1180536a7cb06c7192c1bd328d207bd573f5

SHA512
b78368b4c2cd083bace3a37fa5b7be0cca508af6cd43bb586eaf0a2cc2c7bcee16f6df3e3df4f78d28c4b8c71bc5c7c8f250d32c08a2cdab8e166341e03c2965

Download Submit
\Users\Admin\AppData\Local\Temp\s5iPGegV.exe

Filesize
308KB

MD5
388203ee62004d1f99a533ef9743e3f5

SHA1
bd3d4fd6566c24fc38e3a43ae6c98e0df85fbb17

SHA256
127aa4cd1e29db2ea0acf9f0550c1180536a7cb06c7192c1bd328d207bd573f5

SHA512
b78368b4c2cd083bace3a37fa5b7be0cca508af6cd43bb586eaf0a2cc2c7bcee16f6df3e3df4f78d28c4b8c71bc5c7c8f250d32c08a2cdab8e166341e03c2965

Download Submit
memory/948-58-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/948-57-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/948-69-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/948-77-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/948-70-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/948-68-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/948-63-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/948-60-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1324-99-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-110-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-107-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-100-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-96-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-97-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1544-76-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1628-84-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1628-83-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1628-106-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1628-89-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1628-108-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1628-86-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1948-54-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download