isrstealer | 95f5e8a8f81cc22aa687cf82e0d6cadbf130f25018fa0097710927ed40d2f939

General

Target

b42e7395d548094719753ce21cafc064.exe
Size

500KB
MD5

b42e7395d548094719753ce21cafc064
SHA1

6baed6fc826f81aa77cbd71945c46d44c04718e4
SHA256

95f5e8a8f81cc22aa687cf82e0d6cadbf130f25018fa0097710927ed40d2f939
SHA512

52d741889f330dddfa97897c3b642fbd7a05364b1122e794a4deab0d4c2214f6629b2e03727f5422161fff4d83e82b93866339623917b88e8123fc271a6a4557
SSDEEP

12288:G3s06nf8okk8kGfCIcgiLTXWswMGMv0MSPmIQWe:BPfkkZ8diLjXzGySPm7We

Score

10^/10

isrstealer bootkit persistence spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023201-11.dat	family_isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	b42e7395d548094719753ce21cafc064.exe

Executes dropped EXE 2 IoCs

pid	Process
4560	mw_111221_passwd.exe
3592	mw_111221_vnpanel.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crssr = "C:\\Users\\Admin\\AppData\\Roaming\\crssr"	mw_111221_vnpanel.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b42e7395d548094719753ce21cafc064.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1056 set thread context of 4508	1056	b42e7395d548094719753ce21cafc064.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4560	mw_111221_passwd.exe
4560	mw_111221_passwd.exe
4560	mw_111221_passwd.exe
4560	mw_111221_passwd.exe
4560	mw_111221_passwd.exe
4560	mw_111221_passwd.exe
4560	mw_111221_passwd.exe
4560	mw_111221_passwd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1056	b42e7395d548094719753ce21cafc064.exe
4508	b42e7395d548094719753ce21cafc064.exe
4560	mw_111221_passwd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 4508	1056	b42e7395d548094719753ce21cafc064.exe	92
PID 1056 wrote to memory of 4508	1056	b42e7395d548094719753ce21cafc064.exe	92
PID 1056 wrote to memory of 4508	1056	b42e7395d548094719753ce21cafc064.exe	92
PID 1056 wrote to memory of 4508	1056	b42e7395d548094719753ce21cafc064.exe	92
PID 1056 wrote to memory of 4508	1056	b42e7395d548094719753ce21cafc064.exe	92
PID 1056 wrote to memory of 4508	1056	b42e7395d548094719753ce21cafc064.exe	92
PID 1056 wrote to memory of 4508	1056	b42e7395d548094719753ce21cafc064.exe	92
PID 1056 wrote to memory of 4508	1056	b42e7395d548094719753ce21cafc064.exe	92
PID 4508 wrote to memory of 4560	4508	b42e7395d548094719753ce21cafc064.exe	93
PID 4508 wrote to memory of 4560	4508	b42e7395d548094719753ce21cafc064.exe	93
PID 4508 wrote to memory of 4560	4508	b42e7395d548094719753ce21cafc064.exe	93
PID 4508 wrote to memory of 3592	4508	b42e7395d548094719753ce21cafc064.exe	94
PID 4508 wrote to memory of 3592	4508	b42e7395d548094719753ce21cafc064.exe	94
PID 4508 wrote to memory of 3592	4508	b42e7395d548094719753ce21cafc064.exe	94

C:\Users\Admin\AppData\Local\Temp\b42e7395d548094719753ce21cafc064.exe
"C:\Users\Admin\AppData\Local\Temp\b42e7395d548094719753ce21cafc064.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\b42e7395d548094719753ce21cafc064.exe
  "C:\Users\Admin\AppData\Local\Temp\b42e7395d548094719753ce21cafc064.exe"
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\mw_111221_passwd.exe
    "C:\Users\Admin\AppData\Local\Temp\mw_111221_passwd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\mw_111221_vnpanel.exe
    "C:\Users\Admin\AppData\Local\Temp\mw_111221_vnpanel.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mw_111221_passwd.exe

Filesize
76KB

MD5
32c96c4a94e4066cc6eeb2b0d24dfc36

SHA1
d256f6ea46af1c578d96b59d945f00880f9aa4f0

SHA256
02d227751808eb5cd476c91d6b2f8260c812042de78fc04ae3770168f2873f97

SHA512
af0e6c6b8ba9769b5981780740b00bac46c3cc1ae552e5d6a6a29f6eeb4df312e3f39cbd163e5d612125ae2f91173432b6a22aa1dcccc7c5eff9aafad0692fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mw_111221_vnpanel.exe

Filesize
166KB

MD5
16cde6a521edcd5cc7fa9860096f9222

SHA1
b69246e52d0adee6725fd9ec69c7a7b9974b7634

SHA256
cdd686b7f74b3f0224bbc44daffe7fa9cc9309838866f1586d317a7df5e5df6f

SHA512
41ebfe0a023213113e13307d9bcea0f780f9604cdaa444ce73cc720156d2f3868f1f32c585ad2eb8a8bdd60a0d0ba14e1140d1fd484b4cd75de8ff02826869b9

Download Submit
memory/4508-2-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4508-4-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4508-28-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads