isrstealer | e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d | Triage

Submit
Reports

Overview

overview

Static

static

3

e116864cc4...JC.exe

windows7-x64

e116864cc4...JC.exe

windows10-2004-x64

Sharing

General

Target

e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d_JC.exe
Size

863KB
Sample

230924-rpcsdshd77
MD5

8c57dda2b134801321a87c65cfb4fd85
SHA1

177ef72837380cff667111373695138decc972f3
SHA256

e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d
SHA512

5642c315cec341fd0c9a63a27d43971bcd62960d45a778dddcfde7cba8881a430566f2f6a7e7897c7252edad1651c2fadfde047b4e904ff3840f3f3472f12d4a
SSDEEP

24576:P2O/GlsQSLG/5vEprm6QTkw7g6zwm4m53Sb2xIJ:GSLLmJkw5kFm53SyxIJ

Score

10^/10

isrstealer collection persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d_JC.exe

Resource

win7-20230831-en

isrstealer persistence stealer trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d_JC.exe

Resource

win10v2004-20230915-en

isrstealer collection persistence stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d_JC.exe
- Size
  
  863KB
- MD5
  
  8c57dda2b134801321a87c65cfb4fd85
- SHA1
  
  177ef72837380cff667111373695138decc972f3
- SHA256
  
  e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d
- SHA512
  
  5642c315cec341fd0c9a63a27d43971bcd62960d45a778dddcfde7cba8881a430566f2f6a7e7897c7252edad1651c2fadfde047b4e904ff3840f3f3472f12d4a
- SSDEEP
  
  24576:P2O/GlsQSLG/5vEprm6QTkw7g6zwm4m53Sb2xIJ:GSLLmJkw5kFm53SyxIJ
Score

10^/10

isrstealer persistence stealer trojan collection upx
- ISR Stealer
  ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
  trojan stealer isrstealer
- ISR Stealer payload
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

isrstealerpersistencestealertrojan

behavioral2

isrstealercollectionpersistencestealertrojanupx

© 2018-2024

Terms | Privacy