isrstealer | 1e4979be2176deb966d47734d5ad465f64d1508f132a190730f2b0ad382d176c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[Suamaytinhtainha115.VN] Windows 8 Loader/KMS.exe
Size

276KB
MD5

b8b585877875c3679754094ad1449c08
SHA1

52a9df4e81d77a40f84e5cd2f192653da9eb80fb
SHA256

12bd99618398b770106d8f0ecdbaa217cf9ba03c83bd24dbff4e7515f9d74ee6
SHA512

4e83134e1ba25dc96ca75300dac182e82f0a281c602558327bc8838566643bb0bd31b68e437d230f71b10efa9a78cf8c673e3033b2de1d5406701b9470155c19
SSDEEP

6144:CdhyTMe7zdIKCC0ef//uXltKc+LVsz9b894jvLXo6Jdmz:GutzdFeCXuLKcCVsz6ODLXo6K

Score

10^/10

isrstealer collection discovery spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral3/memory/2104-26-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral3/memory/2104-23-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral3/memory/2104-46-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral3/memory/2104-55-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral3/memory/2592-52-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral3/memory/2592-53-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral3/memory/2592-52-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral3/memory/2592-53-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Executes dropped EXE 4 IoCs

pid	Process
2332	fiufj.exe
2104	cvtres.exe
824	cvtres.exe
2592	cvtres.exe

Loads dropped DLL 5 IoCs

pid	Process
2368	KMS.exe
2332	fiufj.exe
2332	fiufj.exe
2104	cvtres.exe
2104	cvtres.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 2104	2332	fiufj.exe	31
PID 2104 set thread context of 824	2104	cvtres.exe	32
PID 2104 set thread context of 2592	2104	cvtres.exe	35

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/824-35-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral3/memory/824-39-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral3/memory/824-40-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral3/memory/824-41-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral3/memory/824-43-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral3/memory/2592-49-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral3/memory/2592-51-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral3/memory/2592-52-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral3/memory/2592-53-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fiufj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2104	cvtres.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2332	2368	KMS.exe	30
PID 2368 wrote to memory of 2332	2368	KMS.exe	30
PID 2368 wrote to memory of 2332	2368	KMS.exe	30
PID 2368 wrote to memory of 2332	2368	KMS.exe	30
PID 2332 wrote to memory of 2104	2332	fiufj.exe	31
PID 2332 wrote to memory of 2104	2332	fiufj.exe	31
PID 2332 wrote to memory of 2104	2332	fiufj.exe	31
PID 2332 wrote to memory of 2104	2332	fiufj.exe	31
PID 2332 wrote to memory of 2104	2332	fiufj.exe	31
PID 2332 wrote to memory of 2104	2332	fiufj.exe	31
PID 2332 wrote to memory of 2104	2332	fiufj.exe	31
PID 2332 wrote to memory of 2104	2332	fiufj.exe	31
PID 2104 wrote to memory of 824	2104	cvtres.exe	32
PID 2104 wrote to memory of 824	2104	cvtres.exe	32
PID 2104 wrote to memory of 824	2104	cvtres.exe	32
PID 2104 wrote to memory of 824	2104	cvtres.exe	32
PID 2104 wrote to memory of 824	2104	cvtres.exe	32
PID 2104 wrote to memory of 824	2104	cvtres.exe	32
PID 2104 wrote to memory of 824	2104	cvtres.exe	32
PID 2104 wrote to memory of 824	2104	cvtres.exe	32
PID 2104 wrote to memory of 824	2104	cvtres.exe	32
PID 2104 wrote to memory of 2592	2104	cvtres.exe	35
PID 2104 wrote to memory of 2592	2104	cvtres.exe	35
PID 2104 wrote to memory of 2592	2104	cvtres.exe	35
PID 2104 wrote to memory of 2592	2104	cvtres.exe	35
PID 2104 wrote to memory of 2592	2104	cvtres.exe	35
PID 2104 wrote to memory of 2592	2104	cvtres.exe	35
PID 2104 wrote to memory of 2592	2104	cvtres.exe	35
PID 2104 wrote to memory of 2592	2104	cvtres.exe	35
PID 2104 wrote to memory of 2592	2104	cvtres.exe	35

C:\Users\Admin\AppData\Local\Temp\[Suamaytinhtainha115.VN] Windows 8 Loader\KMS.exe
"C:\Users\Admin\AppData\Local\Temp\[Suamaytinhtainha115.VN] Windows 8 Loader\KMS.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\fiufj.exe
  "C:\Users\Admin\AppData\Local\Temp\fiufj.exe" cvtres.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\BaaNIUHJiz.ini"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:824
  - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\yHuITJSvyw.ini"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BaaNIUHJiz.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
1024B

MD5
54b1c45da8980b32759042e2c3c78dfb

SHA1
11e8bc2db98786c69e5dadf53d00ff3ee03d64f8

SHA256
9d5efce48ed68dcb4caaa7fbecaf47ce2cab0a023afc6ceed682d1d532823773

SHA512
73169989b97a032fe923272fbe4bc27be77e491d125b360120fc1e02419d99f807b1f62a3edaff85ebfd16e9c240ec295be9431cfe4d6c353f0cf0dbeec4d2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiufj.exe

Filesize
259KB

MD5
030c425475913c419d2233c765eee6a5

SHA1
f1397a237c242dcda4b315c3e990b3e534c6e3c9

SHA256
1c8c5b5a623265d776c642708eeb5251bdcfde913f928c6369ab8121189fa8a7

SHA512
ec901e822272a8a7e2e24d782d5f6796b5a31294c5ef42488f671071467afd894cd5807e263808f584970d42663e1e2c809c325aeee82fbdee9f27e44026462d

Download Submit
memory/824-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-35-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-43-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-46-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-12-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-11-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-16-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-30-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2368-2-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2368-10-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2368-0-0x0000000074841000-0x0000000074842000-memory.dmp

Filesize
4KB

Download
memory/2368-1-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2592-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download