isrstealer | 6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe
Size

280KB
MD5

f93496e770004890031151a17c837951
SHA1

eb37bcd710d75673eb9ddd4d0ce702850d399e27
SHA256

6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817
SHA512

03a4ffce4c1b6baac5cb5f1d1c5fa0605b003fdbff0fa0cc91d955c83e6a2f005f1b7d3ff191df5c85ce10512e42f12a9270574fddf8da1b5e1ed13944360321
SSDEEP

6144:6sL69fl354FyO/XXNNQzgD3mtF0VTT6LDuIa+P4:halppO/nod8n6LDuILg

Score

10^/10

isrstealer spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2132-153-0x0000000000000000-mapping.dmp	family_isrstealer
behavioral2/memory/2132-154-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/2132-165-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/2132-167-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer

Executes dropped EXE 1 IoCs

pid	Process
4032	muqinimamah.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2268-160-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2268-162-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2268-163-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2268-164-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Loads dropped DLL 7 IoCs

pid	Process
4032	muqinimamah.exe
4032	muqinimamah.exe
4032	muqinimamah.exe
4032	muqinimamah.exe
4032	muqinimamah.exe
4032	muqinimamah.exe
4032	muqinimamah.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4032 set thread context of 2556	4032	muqinimamah.exe	83
PID 2556 set thread context of 2132	2556	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	84
PID 2132 set thread context of 2268	2132	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2132	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4032	1576	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	82
PID 1576 wrote to memory of 4032	1576	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	82
PID 1576 wrote to memory of 4032	1576	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	82
PID 4032 wrote to memory of 2556	4032	muqinimamah.exe	83
PID 4032 wrote to memory of 2556	4032	muqinimamah.exe	83
PID 4032 wrote to memory of 2556	4032	muqinimamah.exe	83
PID 4032 wrote to memory of 2556	4032	muqinimamah.exe	83
PID 4032 wrote to memory of 2556	4032	muqinimamah.exe	83
PID 4032 wrote to memory of 2556	4032	muqinimamah.exe	83
PID 4032 wrote to memory of 2556	4032	muqinimamah.exe	83
PID 4032 wrote to memory of 2556	4032	muqinimamah.exe	83
PID 2556 wrote to memory of 2132	2556	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	84
PID 2556 wrote to memory of 2132	2556	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	84
PID 2556 wrote to memory of 2132	2556	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	84
PID 2556 wrote to memory of 2132	2556	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	84
PID 2556 wrote to memory of 2132	2556	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	84
PID 2556 wrote to memory of 2132	2556	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	84
PID 2556 wrote to memory of 2132	2556	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	84
PID 2556 wrote to memory of 2132	2556	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	84
PID 2132 wrote to memory of 2268	2132	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	85
PID 2132 wrote to memory of 2268	2132	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	85
PID 2132 wrote to memory of 2268	2132	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	85
PID 2132 wrote to memory of 2268	2132	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	85
PID 2132 wrote to memory of 2268	2132	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	85
PID 2132 wrote to memory of 2268	2132	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	85
PID 2132 wrote to memory of 2268	2132	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	85
PID 2132 wrote to memory of 2268	2132	6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe	85

C:\Users\Admin\AppData\Local\Temp\6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe
"C:\Users\Admin\AppData\Local\Temp\6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\muqinimamah.exe
  "C:\Users\Admin\AppData\Local\Temp\muqinimamah.exe" "C:\Users\Admin\AppData\Local\Temp\6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe
    "C:\Users\Admin\AppData\Local\Temp\6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe
      "C:\Users\Admin\AppData\Local\Temp\6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\6ef8be1dd08c47032626852dafa2086099ce4535f7b150fdba58e0162f7d5817.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\GoORc28FNU.ini"
        5⤵
        
        PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cunibukali.dll

Filesize
17KB

MD5
fb3a2a61f0235fcb2513dd6cf0dd9846

SHA1
9c6322af82da21629d5d402a038e9f1d22c82ee4

SHA256
5abf72ba4c8403c45c94b0e6cf58b3bb2de534daeeb2c2b6c34b51b5d88dfcde

SHA512
089148ccff16f0097368af52e527c841202dd29f02a6c4f689b2856382769c1a1e08ae77ff3302912b021917d21bf0b2f4e7ee35efb0bb87928dab88b93f9cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cunibukali.dll

Filesize
17KB

MD5
fb3a2a61f0235fcb2513dd6cf0dd9846

SHA1
9c6322af82da21629d5d402a038e9f1d22c82ee4

SHA256
5abf72ba4c8403c45c94b0e6cf58b3bb2de534daeeb2c2b6c34b51b5d88dfcde

SHA512
089148ccff16f0097368af52e527c841202dd29f02a6c4f689b2856382769c1a1e08ae77ff3302912b021917d21bf0b2f4e7ee35efb0bb87928dab88b93f9cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoORc28FNU.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jovipaki.cik

Filesize
199KB

MD5
989dc9e76c631fa8e20e0d1bdb6f08cd

SHA1
a6fb12806dbf008d16fb3db7e18187d26c841154

SHA256
d6ae4b7368f7f95834dc0878e773f289bb3bab28ee114ee2fb167ff5064ad88e

SHA512
bbb5cfde026da9c326de3e01e7263e1c0d53308f79bc57d7848a0ca1d14836dce003070dafe5de8a45b7a5ed6256717c209c7ab80bbaa8881b505a7c86f2d1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\muqinimamah.exe

Filesize
52KB

MD5
a2d4d79281593fcfcedb853d5c0ad482

SHA1
b2a3864d62e71a742266e399aac77ab0c529497e

SHA256
600c7f2d3e70da9b2fc77aef7f4c377e2eb08fb5f9fad768e9572c91fc50df5c

SHA512
0bc996bf3a7c07c0f939ec44455ba526e529fbf38292108666c19e87d9f19fa8965ee29ca968749e91104b6369a6f10b50327283cc224a3977a148aac8c93396

Download Submit
C:\Users\Admin\AppData\Local\Temp\muqinimamah.exe

Filesize
52KB

MD5
a2d4d79281593fcfcedb853d5c0ad482

SHA1
b2a3864d62e71a742266e399aac77ab0c529497e

SHA256
600c7f2d3e70da9b2fc77aef7f4c377e2eb08fb5f9fad768e9572c91fc50df5c

SHA512
0bc996bf3a7c07c0f939ec44455ba526e529fbf38292108666c19e87d9f19fa8965ee29ca968749e91104b6369a6f10b50327283cc224a3977a148aac8c93396

Download Submit
C:\Users\Admin\AppData\Local\Temp\vazuqasot.dll

Filesize
17KB

MD5
b5c08ad94913970cccc20fa068fce108

SHA1
345b6ff64a50c219ae9a239df9ecf70fb37d7673

SHA256
f7a7579e1fca66743917399710d9c30ce0acca84af58c64702700120dccc755f

SHA512
274a6f5f1cbc4a7e99c1e9f69a8292a02ef1ec02bb8657eb9c87bdcb4b63832f9c347bdebf26a8faf95e3ca5afd5df3cd75ca10ab70552ddb2678a0ab6f8107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vazuqasot.dll

Filesize
17KB

MD5
b5c08ad94913970cccc20fa068fce108

SHA1
345b6ff64a50c219ae9a239df9ecf70fb37d7673

SHA256
f7a7579e1fca66743917399710d9c30ce0acca84af58c64702700120dccc755f

SHA512
274a6f5f1cbc4a7e99c1e9f69a8292a02ef1ec02bb8657eb9c87bdcb4b63832f9c347bdebf26a8faf95e3ca5afd5df3cd75ca10ab70552ddb2678a0ab6f8107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vazuqasot.dll

Filesize
17KB

MD5
b5c08ad94913970cccc20fa068fce108

SHA1
345b6ff64a50c219ae9a239df9ecf70fb37d7673

SHA256
f7a7579e1fca66743917399710d9c30ce0acca84af58c64702700120dccc755f

SHA512
274a6f5f1cbc4a7e99c1e9f69a8292a02ef1ec02bb8657eb9c87bdcb4b63832f9c347bdebf26a8faf95e3ca5afd5df3cd75ca10ab70552ddb2678a0ab6f8107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xafirevebi.dll

Filesize
16KB

MD5
175ce34f823bf3289e8ac9ad51f2edb6

SHA1
efde5500b102066018f7dfd0b7f66aa67e72f70d

SHA256
c6f3b4d69ab6756e13eea64e7751a6b357a50290d74dc802f7d57c5324e2de75

SHA512
8fb988170ff0c111adc01dbf635ddf027859368d5118679ada420d28c25fea8135cc335f846e59a60d6ccbf451e806dbe03283e066ae89bffb5160539707b094

Download Submit
C:\Users\Admin\AppData\Local\Temp\xafirevebi.dll

Filesize
16KB

MD5
175ce34f823bf3289e8ac9ad51f2edb6

SHA1
efde5500b102066018f7dfd0b7f66aa67e72f70d

SHA256
c6f3b4d69ab6756e13eea64e7751a6b357a50290d74dc802f7d57c5324e2de75

SHA512
8fb988170ff0c111adc01dbf635ddf027859368d5118679ada420d28c25fea8135cc335f846e59a60d6ccbf451e806dbe03283e066ae89bffb5160539707b094

Download Submit
C:\Users\Admin\AppData\Local\Temp\xafirevebi.dll

Filesize
16KB

MD5
175ce34f823bf3289e8ac9ad51f2edb6

SHA1
efde5500b102066018f7dfd0b7f66aa67e72f70d

SHA256
c6f3b4d69ab6756e13eea64e7751a6b357a50290d74dc802f7d57c5324e2de75

SHA512
8fb988170ff0c111adc01dbf635ddf027859368d5118679ada420d28c25fea8135cc335f846e59a60d6ccbf451e806dbe03283e066ae89bffb5160539707b094

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoqatubetuya.dll

Filesize
24KB

MD5
f0f153dd1abfd6421b6448d7fcb81308

SHA1
71607d053bdac9b9ace174529e898b7dc70c88e9

SHA256
c95bc02ae1c2c2ab40903830ea4c11184c9b9c385922322dcef5f301e3922d97

SHA512
83fe18cb01b3e877e90e72741c4d58da2a7a61874013a936d0271d4dbebfa3450ae352b6eeec2d3612b4ce3487ad44bea6c30ffc01d1ed5b8cd5f354f199d970

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoqatubetuya.dll

Filesize
24KB

MD5
f0f153dd1abfd6421b6448d7fcb81308

SHA1
71607d053bdac9b9ace174529e898b7dc70c88e9

SHA256
c95bc02ae1c2c2ab40903830ea4c11184c9b9c385922322dcef5f301e3922d97

SHA512
83fe18cb01b3e877e90e72741c4d58da2a7a61874013a936d0271d4dbebfa3450ae352b6eeec2d3612b4ce3487ad44bea6c30ffc01d1ed5b8cd5f354f199d970

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoqatubetuya.dll

Filesize
24KB

MD5
f0f153dd1abfd6421b6448d7fcb81308

SHA1
71607d053bdac9b9ace174529e898b7dc70c88e9

SHA256
c95bc02ae1c2c2ab40903830ea4c11184c9b9c385922322dcef5f301e3922d97

SHA512
83fe18cb01b3e877e90e72741c4d58da2a7a61874013a936d0271d4dbebfa3450ae352b6eeec2d3612b4ce3487ad44bea6c30ffc01d1ed5b8cd5f354f199d970

Download Submit
memory/2132-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2268-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2268-164-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2268-163-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2268-162-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-144-0x0000000000581000-0x0000000000584000-memory.dmp

Filesize
12KB

Download
memory/4032-148-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/4032-147-0x0000000000591000-0x0000000000594000-memory.dmp

Filesize
12KB

Download