isrstealer | 4d4e7a37101a9fa0810a3ff324a87c302a1328dcaeae6a9c637752e871a1a678

Analysis

max time kernel
2s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc35c41440704458ed7a60c0ac026f62.exe
Size

408KB
MD5

dc35c41440704458ed7a60c0ac026f62
SHA1

28459a2a602943fb5f44cb7424061c390fefb502
SHA256

4d4e7a37101a9fa0810a3ff324a87c302a1328dcaeae6a9c637752e871a1a678
SHA512

f522adf75f7915caf3a87551f4704303ddde487da920c6a2a762d4fc821f5c6749b2496cdd5b5193252eb97f01cdcc3dc77584be90e6833e32f2410b955f8081
SSDEEP

6144:v7l/Mts0sXrneChRWcSUEC8ctAom2C+do4ON1ZA0bYQpBuLGlY+6iPHS/ei:hMSeChscpEBctA2Q11aPQ3/6/ei

Score

10^/10

isrstealer stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2108-364-0x0000000000400000-0x0000000000459000-memory.dmp	family_isrstealer
behavioral1/files/0x000a000000015626-411.dat	family_isrstealer
behavioral1/files/0x000a000000015626-402.dat	family_isrstealer
behavioral1/memory/2108-894-0x0000000000400000-0x0000000000459000-memory.dmp	family_isrstealer
behavioral1/memory/3008-872-0x0000000000400000-0x0000000000459000-memory.dmp	family_isrstealer
behavioral1/memory/2108-1018-0x0000000000400000-0x0000000000459000-memory.dmp	family_isrstealer

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2692-458-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral1/memory/2692-940-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/2692-458-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral1/memory/2692-940-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
1448	FAJFA.exe
2664	FAJFA.exe
2692	FAJFA.exe

Loads dropped DLL 7 IoCs

pid	Process
2108	dc35c41440704458ed7a60c0ac026f62.exe
2108	dc35c41440704458ed7a60c0ac026f62.exe
2108	dc35c41440704458ed7a60c0ac026f62.exe
2108	dc35c41440704458ed7a60c0ac026f62.exe
2108	dc35c41440704458ed7a60c0ac026f62.exe
1448	FAJFA.exe
2664	FAJFA.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2108-359-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2108-364-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2992-394-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2992-401-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2108-894-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2956-897-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2956-901-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2992-908-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3008-872-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2108-1018-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2956-1021-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 624 set thread context of 2108	624	dc35c41440704458ed7a60c0ac026f62.exe	28
PID 624 set thread context of 2992	624	dc35c41440704458ed7a60c0ac026f62.exe	29
PID 1448 set thread context of 2664	1448	FAJFA.exe	31
PID 2664 set thread context of 2692	2664	FAJFA.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1448	FAJFA.exe
1448	FAJFA.exe
1448	FAJFA.exe
1448	FAJFA.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
624	dc35c41440704458ed7a60c0ac026f62.exe
2108	dc35c41440704458ed7a60c0ac026f62.exe
2992	dc35c41440704458ed7a60c0ac026f62.exe
1448	FAJFA.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2108	624	dc35c41440704458ed7a60c0ac026f62.exe	28
PID 624 wrote to memory of 2108	624	dc35c41440704458ed7a60c0ac026f62.exe	28
PID 624 wrote to memory of 2108	624	dc35c41440704458ed7a60c0ac026f62.exe	28
PID 624 wrote to memory of 2108	624	dc35c41440704458ed7a60c0ac026f62.exe	28
PID 624 wrote to memory of 2108	624	dc35c41440704458ed7a60c0ac026f62.exe	28
PID 624 wrote to memory of 2108	624	dc35c41440704458ed7a60c0ac026f62.exe	28
PID 624 wrote to memory of 2108	624	dc35c41440704458ed7a60c0ac026f62.exe	28
PID 624 wrote to memory of 2108	624	dc35c41440704458ed7a60c0ac026f62.exe	28
PID 624 wrote to memory of 2992	624	dc35c41440704458ed7a60c0ac026f62.exe	29
PID 624 wrote to memory of 2992	624	dc35c41440704458ed7a60c0ac026f62.exe	29
PID 624 wrote to memory of 2992	624	dc35c41440704458ed7a60c0ac026f62.exe	29
PID 624 wrote to memory of 2992	624	dc35c41440704458ed7a60c0ac026f62.exe	29
PID 624 wrote to memory of 2992	624	dc35c41440704458ed7a60c0ac026f62.exe	29
PID 624 wrote to memory of 2992	624	dc35c41440704458ed7a60c0ac026f62.exe	29
PID 624 wrote to memory of 2992	624	dc35c41440704458ed7a60c0ac026f62.exe	29
PID 624 wrote to memory of 2992	624	dc35c41440704458ed7a60c0ac026f62.exe	29
PID 2108 wrote to memory of 1448	2108	dc35c41440704458ed7a60c0ac026f62.exe	32
PID 2108 wrote to memory of 1448	2108	dc35c41440704458ed7a60c0ac026f62.exe	32
PID 2108 wrote to memory of 1448	2108	dc35c41440704458ed7a60c0ac026f62.exe	32
PID 2108 wrote to memory of 1448	2108	dc35c41440704458ed7a60c0ac026f62.exe	32
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 1448 wrote to memory of 2664	1448	FAJFA.exe	31
PID 2664 wrote to memory of 2692	2664	FAJFA.exe	30
PID 2664 wrote to memory of 2692	2664	FAJFA.exe	30
PID 2664 wrote to memory of 2692	2664	FAJFA.exe	30
PID 2664 wrote to memory of 2692	2664	FAJFA.exe	30
PID 2664 wrote to memory of 2692	2664	FAJFA.exe	30
PID 2664 wrote to memory of 2692	2664	FAJFA.exe	30

C:\Users\Admin\AppData\Local\Temp\dc35c41440704458ed7a60c0ac026f62.exe
"C:\Users\Admin\AppData\Local\Temp\dc35c41440704458ed7a60c0ac026f62.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\dc35c41440704458ed7a60c0ac026f62.exe
  "C:\Users\Admin\AppData\Local\Temp\dc35c41440704458ed7a60c0ac026f62.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\FAJFA.exe
    "C:\Users\Admin\AppData\Local\Temp\FAJFA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1448
- C:\Users\Admin\AppData\Local\Temp\dc35c41440704458ed7a60c0ac026f62.exe
  "C:\Users\Admin\AppData\Local\Temp\dc35c41440704458ed7a60c0ac026f62.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2992
- - C:\Users\Admin\AppData\Roaming\system32\intelgfx.exe
    "C:\Users\Admin\AppData\Roaming\system32\intelgfx.exe"
    3⤵
    PID:1436
  - - C:\Users\Admin\AppData\Roaming\system32\intelgfx.exe
      "C:\Users\Admin\AppData\Roaming\system32\intelgfx.exe"
      4⤵
      PID:3008
  - - C:\Users\Admin\AppData\Roaming\system32\intelgfx.exe
      "C:\Users\Admin\AppData\Roaming\system32\intelgfx.exe"
      4⤵
      PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYAWV.bat" "
    3⤵
    PID:2988

C:\Users\Admin\AppData\Local\Temp\FAJFA.exe
"C:\Users\Admin\AppData\Local\Temp\FAJFA.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
1⤵
- Executes dropped EXE
PID:2692

C:\Users\Admin\AppData\Local\Temp\FAJFA.exe
"C:\Users\Admin\AppData\Local\Temp\FAJFA.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "invidiadriver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system32\intelgfx.exe" /f
1⤵
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\FAJFA.exe

Filesize
320KB

MD5
ccc2260269cb43ddadda9444e3d112f7

SHA1
ddab46acc12d7c60a15fa363f88030f1dd539fcb

SHA256
8ca1bd039407381c33fb7ab570b6e95b0ce64b0d5ef64a1968f9b55647cc1911

SHA512
787d0b4f5d89b840a4917c78e46f963c8c96a96ec005b45d085222ef307c2a76f074c4a65ca033b038e1b7d1419c7cd3c5c5f3075c3ea24e546c68bdd7643fde

Download Submit
memory/624-156-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/624-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1436-654-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2108-359-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2108-364-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2108-1018-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2108-894-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2664-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-456-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-940-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2692-458-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2956-897-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2956-901-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2956-1021-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2992-401-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2992-908-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2992-394-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3008-872-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download