isrstealer | a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe

Resubmissions

11-05-2023 15:03

230511-se64xsga3z 10

29-01-2023 12:05

230129-n9m73seb74 10

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe
Size

121KB
MD5

8b6ee5274dca9075af87729fcad6c0f7
SHA1

a794785786d904390533f6a909715060fbb77286
SHA256

a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe
SHA512

112568d672a387e6977bc9e1b7c9a898685abdf841b01e4d2d39aa4942b739151d316032291298b4ecf7fd572232963243f10dbde0e99a884cc12d1d514c851a
SSDEEP

1536:+m1FG8XzZpMlOSYJFBewurwYwn66LpSfQUV7Wtr4G6kBUkGS4Je5Q/yKRyPsIGvl:7QWuNY0rc6ESUU5S4Je5EyKR+sIG/l

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3956-132-0x0000000000000000-mapping.dmp	family_isrstealer
behavioral2/memory/3956-133-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/3956-140-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/3956-141-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Executes dropped EXE 1 IoCs

Processes:

poer.exe

pid process

3956 poer.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3956	poer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe

description	pid	process	target process
PID 3340 set thread context of 3956	3340	a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe	poer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

poer.exe

pid process

3956 poer.exe
3956 poer.exe
3956 poer.exe
3956 poer.exe
3956 poer.exe
3956 poer.exe
3956 poer.exe
3956 poer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

poer.exe

pid process

3956 poer.exe

pid	process
3956	poer.exe
3956	poer.exe
3956	poer.exe
3956	poer.exe
3956	poer.exe
3956	poer.exe
3956	poer.exe
3956	poer.exe

pid	process
3956	poer.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe

description	pid	process	target process
PID 3340 wrote to memory of 3956	3340	a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe	poer.exe
PID 3340 wrote to memory of 3956	3340	a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe	poer.exe
PID 3340 wrote to memory of 3956	3340	a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe	poer.exe
PID 3340 wrote to memory of 3956	3340	a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe	poer.exe
PID 3340 wrote to memory of 3956	3340	a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe	poer.exe
PID 3340 wrote to memory of 3956	3340	a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe	poer.exe
PID 3340 wrote to memory of 3956	3340	a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe	poer.exe
PID 3340 wrote to memory of 3956	3340	a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe	poer.exe

C:\Users\Admin\AppData\Local\Temp\a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe
"C:\Users\Admin\AppData\Local\Temp\a30731a0007f106e4a12709ae7f5f4de133b20de59de10cd86b211d216779dbe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Roaming\poer.exe
  C:\Users\Admin\AppData\Roaming\poer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\poer.exe

Filesize
1KB

MD5
0df5b5319b99007441a57e8fd0b8727b

SHA1
73f1d54d460f84a68973e3a6fb56959dd853be5b

SHA256
27a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc

SHA512
563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6

Download Submit
C:\Users\Admin\AppData\Roaming\poer.exe

Filesize
1KB

MD5
0df5b5319b99007441a57e8fd0b8727b

SHA1
73f1d54d460f84a68973e3a6fb56959dd853be5b

SHA256
27a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc

SHA512
563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6

Download Submit
memory/3340-139-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/3956-132-0x0000000000000000-mapping.dmp

Download
memory/3956-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3956-140-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3956-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download