isrstealer | 35e6db625e5143f7506e27153776623aa36e32bd8df2c8efabf053aa7aff3d1b

General

Target

Battlefield 3 Aimbot/WinJect.exe
Size

540KB
MD5

6abce2783394bf829a97599d04a8def3
SHA1

2a7864232650cf6528c903ec505e4fc1cc59517c
SHA256

29ab5fe35a0f48c4683adf37e978abbfff23c0b2f8b416d58b18690ebf41a66a
SHA512

8c07c4b105296747f6224f161b00250e5fa54c4f7b2ad33313b91f4116917064f4acc315f664688346d0272bc77953c338fe40d4ed6e0fd5e5ad507f12cdf7b4
SSDEEP

6144:dHEUWvcNBG1R741QrIJvnjqHByUkz/urMkHug25ijoBFQi7f0u1WeJiXpH4raGpt:pFG1d4gIJLqcU9OgiioSOLKR4rFMgn

Score

10^/10

isrstealer bootkit persistence spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2736-68-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral3/memory/2736-64-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral3/memory/2736-76-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral3/memory/2736-77-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral3/memory/2736-79-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Executes dropped EXE 4 IoCs

Processes:

Winject.exe0718i2vupW.exe0718i2vupW.exe0718i2vupW.exe

pid process

2860 Winject.exe
2884 0718i2vupW.exe
2780 0718i2vupW.exe
2736 0718i2vupW.exe
Loads dropped DLL 6 IoCs

Processes:

WinJect.exe0718i2vupW.exe0718i2vupW.exe

pid process

3032 WinJect.exe
3032 WinJect.exe
3032 WinJect.exe
3032 WinJect.exe
2884 0718i2vupW.exe
2780 0718i2vupW.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

WinJect.exe0718i2vupW.exe

description ioc process

File opened for modification \??\PhysicalDrive0 WinJect.exe
File opened for modification \??\PhysicalDrive0 0718i2vupW.exe

pid	process
2860	Winject.exe
2884	0718i2vupW.exe
2780	0718i2vupW.exe
2736	0718i2vupW.exe

pid	process
3032	WinJect.exe
3032	WinJect.exe
3032	WinJect.exe
3032	WinJect.exe
2884	0718i2vupW.exe
2780	0718i2vupW.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	WinJect.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

WinJect.exe0718i2vupW.exe0718i2vupW.exe

description	pid	process	target process
PID 2324 set thread context of 3032	2324	WinJect.exe	WinJect.exe
PID 2884 set thread context of 2780	2884	0718i2vupW.exe	0718i2vupW.exe
PID 2780 set thread context of 2736	2780	0718i2vupW.exe	0718i2vupW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0718i2vupW.exe

pid process

2736 0718i2vupW.exe
2736 0718i2vupW.exe
2736 0718i2vupW.exe
2736 0718i2vupW.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Winject.exe

pid process

2860 Winject.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WinJect.exeWinJect.exe0718i2vupW.exe0718i2vupW.exe0718i2vupW.exe

pid process

2324 WinJect.exe
3032 WinJect.exe
2884 0718i2vupW.exe
2780 0718i2vupW.exe
2736 0718i2vupW.exe

pid	process
2736	0718i2vupW.exe
2736	0718i2vupW.exe
2736	0718i2vupW.exe
2736	0718i2vupW.exe

pid	process
2860	Winject.exe

pid	process
2324	WinJect.exe
3032	WinJect.exe
2884	0718i2vupW.exe
2780	0718i2vupW.exe
2736	0718i2vupW.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

WinJect.exeWinJect.exe0718i2vupW.exe0718i2vupW.exe

description	pid	process	target process
PID 2324 wrote to memory of 3032	2324	WinJect.exe	WinJect.exe
PID 2324 wrote to memory of 3032	2324	WinJect.exe	WinJect.exe
PID 2324 wrote to memory of 3032	2324	WinJect.exe	WinJect.exe
PID 2324 wrote to memory of 3032	2324	WinJect.exe	WinJect.exe
PID 2324 wrote to memory of 3032	2324	WinJect.exe	WinJect.exe
PID 2324 wrote to memory of 3032	2324	WinJect.exe	WinJect.exe
PID 2324 wrote to memory of 3032	2324	WinJect.exe	WinJect.exe
PID 2324 wrote to memory of 3032	2324	WinJect.exe	WinJect.exe
PID 2324 wrote to memory of 3032	2324	WinJect.exe	WinJect.exe
PID 3032 wrote to memory of 2860	3032	WinJect.exe	Winject.exe
PID 3032 wrote to memory of 2860	3032	WinJect.exe	Winject.exe
PID 3032 wrote to memory of 2860	3032	WinJect.exe	Winject.exe
PID 3032 wrote to memory of 2860	3032	WinJect.exe	Winject.exe
PID 3032 wrote to memory of 2884	3032	WinJect.exe	0718i2vupW.exe
PID 3032 wrote to memory of 2884	3032	WinJect.exe	0718i2vupW.exe
PID 3032 wrote to memory of 2884	3032	WinJect.exe	0718i2vupW.exe
PID 3032 wrote to memory of 2884	3032	WinJect.exe	0718i2vupW.exe
PID 2884 wrote to memory of 2780	2884	0718i2vupW.exe	0718i2vupW.exe
PID 2884 wrote to memory of 2780	2884	0718i2vupW.exe	0718i2vupW.exe
PID 2884 wrote to memory of 2780	2884	0718i2vupW.exe	0718i2vupW.exe
PID 2884 wrote to memory of 2780	2884	0718i2vupW.exe	0718i2vupW.exe
PID 2884 wrote to memory of 2780	2884	0718i2vupW.exe	0718i2vupW.exe
PID 2884 wrote to memory of 2780	2884	0718i2vupW.exe	0718i2vupW.exe
PID 2884 wrote to memory of 2780	2884	0718i2vupW.exe	0718i2vupW.exe
PID 2884 wrote to memory of 2780	2884	0718i2vupW.exe	0718i2vupW.exe
PID 2884 wrote to memory of 2780	2884	0718i2vupW.exe	0718i2vupW.exe
PID 2780 wrote to memory of 2736	2780	0718i2vupW.exe	0718i2vupW.exe
PID 2780 wrote to memory of 2736	2780	0718i2vupW.exe	0718i2vupW.exe
PID 2780 wrote to memory of 2736	2780	0718i2vupW.exe	0718i2vupW.exe
PID 2780 wrote to memory of 2736	2780	0718i2vupW.exe	0718i2vupW.exe
PID 2780 wrote to memory of 2736	2780	0718i2vupW.exe	0718i2vupW.exe
PID 2780 wrote to memory of 2736	2780	0718i2vupW.exe	0718i2vupW.exe
PID 2780 wrote to memory of 2736	2780	0718i2vupW.exe	0718i2vupW.exe
PID 2780 wrote to memory of 2736	2780	0718i2vupW.exe	0718i2vupW.exe

C:\Users\Admin\AppData\Local\Temp\Battlefield 3 Aimbot\WinJect.exe
"C:\Users\Admin\AppData\Local\Temp\Battlefield 3 Aimbot\WinJect.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\Battlefield 3 Aimbot\WinJect.exe
  "C:\Users\Admin\AppData\Local\Temp\Battlefield 3 Aimbot\WinJect.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\Winject.exe
    "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
    "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
      "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe

Filesize
161KB

MD5
d1e78f1ec3f92b0bc3d7c5bb4ec7fe15

SHA1
ab938b657b726ad145c6bf38ab6f095f85d66453

SHA256
840992904cb9a8af93ed88b2f0d4c8a4b78bf2ff2b9f9e0ebac6da9456a4f68b

SHA512
6cddd2695fe433f64387303ac00ecc4972db5b4416d8d796499dc56265d2adf029538169f40c641d9c51a9c13032bb62c9d63ce56c4078b2f1a626cda3445281

Download Submit
C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe

Filesize
210KB

MD5
6fb30749ec2cfc52aed42fbfd6aa4f26

SHA1
83fa868167ac65612fd3bf52146a5fe770638118

SHA256
9c90a651a1e58bac500f9df262cc9a5e08918c837ba690f858202f38f1466ce2

SHA512
59631e7450621f0ed53b24d8beb350d91e84090103725db32d8e7ddd967a60ffe3fbbe9a5722aa007ed587e05d946ff3cdd7596d4340c12e0b08ad708de18801

Download Submit
C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe

Filesize
146KB

MD5
eed173c9719533ef58b2328f76666830

SHA1
37da7c9de8e9fedf0b728eb6c4a8e713ae7ea104

SHA256
195e8cd0bf9a06f8e072b11624e51bce42746ae80ab7ac1e3502b4d2708ae93b

SHA512
7de901f25578e682e81d6b681800e29f64514680174b011611949ee7bb29d4d509aec9e38b96e1fcc945c5e4f7f19e560b71d86aadfe04736a6ce737d73b8e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe

Filesize
115KB

MD5
91fc9ba9034be1a07f216f08c4d9bed4

SHA1
6e230780607a2eb6327167ee2532a8afc2ceada0

SHA256
2ca343d682cd973c91361c9ff7f0b8a71c6ee05eda257992a9b06182311861fa

SHA512
d3ad2cab8dbb8fbd4df2633883328d7301cba0121fcc5eace2427b3ccead585f10e923a309bd01124b501624a03195702c2e8ce7cdd1d920ee2b450b156dedc5

Download Submit
\Users\Admin\AppData\Local\Temp\0718i2vupW.exe

Filesize
228KB

MD5
4bde2fa501b271311668b79e08c3977e

SHA1
60517822d48cf2b560c2d4681c4e5685e29f9632

SHA256
73903815bf438131d3dee70fb8f7f757f1ae57deb7fddd802685fd14d95c33dd

SHA512
4a39144ed55e44228882b1d30e1d4b6ddc76cbc8037089fdd0e058ad79364a66d13d311827bf181907d3e29b84b6443349624e2d505d1c4d64cea2e48cd684c3

Download Submit
\Users\Admin\AppData\Local\Temp\0718i2vupW.exe

Filesize
148KB

MD5
a129d80195d4b3e7ee50425da478f2f7

SHA1
795aedf7ebff9dcde748e969237add68ab3e8db4

SHA256
008a3cfecd54940a71ee57107f790de81d546408629e586d5cb94294ad983d7f

SHA512
1d0ba8c0424fe233838b5f6bb2999d4b0dad031156397912a21218cc15c1795919a3de29251cec96e37fbe40080781267ccb4a167f4d0c85e8fdf9942bebb242

Download Submit
\Users\Admin\AppData\Local\Temp\Winject.exe

Filesize
156KB

MD5
5c71bf80b291452cff22524688d38297

SHA1
a10e2ee7d94b41c54149d3561166c37c1465e079

SHA256
9aa9e7fbf8b8d286c5c6f0571e08da319b5418b6a4f5565bb3aa7b879b26368b

SHA512
e12b07e9d08946222950e32acad1a81ec410132ed3baf9eecd2e940a0dc63acaa65a83875208eda0318b50a535b4579ae0650ea17ec05d11444460ac2d67b007

Download Submit
memory/2736-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2736-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2736-79-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2736-77-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2736-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2736-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2736-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2780-46-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-52-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2780-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3032-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3032-17-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3032-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3032-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3032-6-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3032-4-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3032-38-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3032-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads