isrstealer | bf62bfd7d14a4e30f6a5298921b72b8ebba61b8fa9855f7ef529709033938800

General

Target

Program+NoAV.exe
Size

1.9MB
MD5

f8a53245f72a0a9c47b1b6ed1a68a73c
SHA1

f8983adea5437ed33a8c4625981ad865d491d973
SHA256

cd288d62360691a8fc532f3f39169b91ea1a849e4a766d3d6981be36c4ed318d
SHA512

8e0c6445ae75badf2748be74f5ce90457fdf583869ec33b196b08986fb80dca67cd74544780c916e47d5973562e14be23ed2da9cc435403f342b60406ad6ef7f
SSDEEP

24576:/5dZufOrzvckB+Fr+waFHTcqunNW3QdWvPiVD2CWgrUE94FFs+n9rQOF8n3M/JS2:/5dVwPaFHTTgkAAn2IQ39y9rRF85HjSH

Score

10^/10

isrstealer spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4876-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_isrstealer
behavioral4/memory/4876-19-0x0000000000400000-0x0000000000452000-memory.dmp	family_isrstealer
behavioral4/memory/4876-24-0x0000000000400000-0x0000000000452000-memory.dmp	family_isrstealer
behavioral4/memory/4876-36-0x0000000000400000-0x0000000000452000-memory.dmp	family_isrstealer

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Program+NoAV.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Program+NoAV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Program+NoAV.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/3288-29-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral4/memory/3288-32-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral4/memory/3288-31-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral4/memory/3288-34-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

Program+NoAV.exeProgram+NoAV.exe

description	pid	Process	procid_target
PID 2448 set thread context of 4876	2448	Program+NoAV.exe	90
PID 4876 set thread context of 3288	4876	Program+NoAV.exe	91

Modifies registry class 5 IoCs

Processes:

Program+NoAV.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}	Program+NoAV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ = "PSTypeInfo"	Program+NoAV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32	Program+NoAV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\ = "C:\\Windows\\SysWOW64\\oleaut32.dll"	Program+NoAV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\ThreadingModel = "Both"	Program+NoAV.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Program+NoAV.exe

description	pid	Process
Token: 33	2448	Program+NoAV.exe
Token: SeIncBasePriorityPrivilege	2448	Program+NoAV.exe
Token: 33	2448	Program+NoAV.exe
Token: SeIncBasePriorityPrivilege	2448	Program+NoAV.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Program+NoAV.exe

pid	Process
4876	Program+NoAV.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Program+NoAV.exeProgram+NoAV.exeProgram+NoAV.exe

description	pid	Process	procid_target
PID 3312 wrote to memory of 2448	3312	Program+NoAV.exe	85
PID 3312 wrote to memory of 2448	3312	Program+NoAV.exe	85
PID 3312 wrote to memory of 2448	3312	Program+NoAV.exe	85
PID 3312 wrote to memory of 2448	3312	Program+NoAV.exe	85
PID 3312 wrote to memory of 2448	3312	Program+NoAV.exe	85
PID 2448 wrote to memory of 4876	2448	Program+NoAV.exe	90
PID 2448 wrote to memory of 4876	2448	Program+NoAV.exe	90
PID 2448 wrote to memory of 4876	2448	Program+NoAV.exe	90
PID 2448 wrote to memory of 4876	2448	Program+NoAV.exe	90
PID 2448 wrote to memory of 4876	2448	Program+NoAV.exe	90
PID 2448 wrote to memory of 4876	2448	Program+NoAV.exe	90
PID 2448 wrote to memory of 4876	2448	Program+NoAV.exe	90
PID 2448 wrote to memory of 4876	2448	Program+NoAV.exe	90
PID 4876 wrote to memory of 3288	4876	Program+NoAV.exe	91
PID 4876 wrote to memory of 3288	4876	Program+NoAV.exe	91
PID 4876 wrote to memory of 3288	4876	Program+NoAV.exe	91
PID 4876 wrote to memory of 3288	4876	Program+NoAV.exe	91
PID 4876 wrote to memory of 3288	4876	Program+NoAV.exe	91
PID 4876 wrote to memory of 3288	4876	Program+NoAV.exe	91
PID 4876 wrote to memory of 3288	4876	Program+NoAV.exe	91
PID 4876 wrote to memory of 3288	4876	Program+NoAV.exe	91

C:\Users\Admin\AppData\Local\Temp\Program+NoAV.exe
"C:\Users\Admin\AppData\Local\Temp\Program+NoAV.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Users\Admin\AppData\Local\Temp\Program+NoAV.exe
  "C:\Users\Admin\AppData\Local\Temp\Program+NoAV.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\Program+NoAV.exe
    C:\Users\Admin\AppData\Local\Temp\Program+NoAV.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\Program+NoAV.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
      4⤵
      PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/2448-28-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/2448-2-0x0000000002350000-0x00000000024AA000-memory.dmp

Filesize
1.4MB

Download
memory/2448-22-0x0000000002350000-0x00000000024AA000-memory.dmp

Filesize
1.4MB

Download
memory/2448-1-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/2448-11-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/2448-12-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/2448-13-0x0000000002350000-0x00000000024AA000-memory.dmp

Filesize
1.4MB

Download
memory/2448-10-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/2448-8-0x0000000002350000-0x00000000024AA000-memory.dmp

Filesize
1.4MB

Download
memory/3288-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3288-31-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3288-34-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3288-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3312-0-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/4876-36-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4876-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4876-24-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4876-19-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads