MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d8446f1830a6a01787788c3e3348ad30d2f29eab13f9ec4f5974d947a3a0f76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ISRStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d8446f1830a6a01787788c3e3348ad30d2f29eab13f9ec4f5974d947a3a0f76
SHA3-384 hash: 4e57f268755d410b588969aec4f544f338658570cae7fc5d84772b7bef0fc99798940497f94bd06e405b6ce746363e69
SHA1 hash: 7c998738a22b886f249d02044123ecbee524f225
MD5 hash: 71f119694ecebddd6968fb07e65ed4a9
humanhash: vermont-skylark-double-mango
File name:3d8446f1830a6a01787788c3e3348ad30d2f29eab13f9ec4f5974d947a3a0f76
Download: download sample
Signature ISRStealer
Create hunting rule
File size:994'304 bytes
First seen:2020-11-13 15:49:46 UTC
Last seen:2024-07-24 13:20:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cea15fcbfd6616496bbe80d9d9d0796 (26 x Loki, 25 x AgentTesla, 10 x ISRStealer)
ssdeep 12288:7HRCOAKfaIrNzo23Z7XjikYeK6OClCZgKrj31Nr4KtvM33PxfzFW3r0NTZUMVz8I:7HUyaIrNUsTJOClCuKrj8Z/xfUr8UG
Threatray 404 similar samples on MalwareBazaar
TLSH 5225BF22ADA09837D423353DCC0B5E645F26BF313925A9862BFD3C0F5F79A817825293
Reporter seifreed
Tags:ISRStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Eyqd-9789766-0
Create hunting rule

Win.Dropper.LokiBot-9792233-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
DNS request
Sending an HTTP GET request
Deleting a recently created file
Searching for the window
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ISRStealer MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/536499
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Passes username and password via HTTP get
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected ISRStealer
Yara detected MailPassView
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 317350 Sample: wTfsaJXrzP Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 89 shanpak.com 2->89 105 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 Yara detected ISRStealer 2->109 111 4 other signatures 2->111 12 wTfsaJXrzP.exe 2->12         started        15 wscript.exe 1 2->15         started        signatures3 process4 signatures5 147 Detected unpacking (changes PE section rights) 12->147 149 Detected unpacking (overwrites its own PE header) 12->149 151 Tries to steal Mail credentials (via file registry) 12->151 153 5 other signatures 12->153 17 wTfsaJXrzP.exe 12->17         started        19 wTfsaJXrzP.exe 12 12->19         started        23 notepad.exe 1 12->23         started        25 wTfsaJXrzP.exe 15->25         started        process6 dnsIp7 27 wTfsaJXrzP.exe 17->27         started        91 shanpak.com 192.185.192.28, 49717, 49719, 49720 UNIFIEDLAYER-AS-1US United States 19->91 113 Injects a PE file into a foreign processes 19->113 30 wTfsaJXrzP.exe 1 19->30         started        32 wTfsaJXrzP.exe 1 19->32         started        115 Drops VBS files to the startup folder 23->115 117 Delayed program exit found 23->117 119 Writes to foreign memory regions 25->119 121 Allocates memory in foreign processes 25->121 123 Maps a DLL or memory area into another process 25->123 34 wTfsaJXrzP.exe 25->34         started        36 wTfsaJXrzP.exe 13 25->36         started        39 notepad.exe 1 25->39         started        signatures8 process9 dnsIp10 135 Writes to foreign memory regions 27->135 137 Allocates memory in foreign processes 27->137 139 Maps a DLL or memory area into another process 27->139 41 wTfsaJXrzP.exe 27->41         started        43 wTfsaJXrzP.exe 13 27->43         started        47 notepad.exe 1 27->47         started        141 Tries to steal Instant Messenger accounts or passwords 30->141 143 Tries to steal Mail credentials (via file access) 30->143 49 wTfsaJXrzP.exe 34->49         started        93 shanpak.com 36->93 145 Injects a PE file into a foreign processes 36->145 51 wTfsaJXrzP.exe 36->51         started        53 wTfsaJXrzP.exe 36->53         started        signatures11 process12 dnsIp13 55 wTfsaJXrzP.exe 41->55         started        97 shanpak.com 43->97 155 Injects a PE file into a foreign processes 43->155 58 wTfsaJXrzP.exe 43->58         started        60 wTfsaJXrzP.exe 43->60         started        157 Writes to foreign memory regions 49->157 159 Allocates memory in foreign processes 49->159 161 Maps a DLL or memory area into another process 49->161 62 wTfsaJXrzP.exe 49->62         started        65 notepad.exe 49->65         started        68 wTfsaJXrzP.exe 49->68         started        163 Tries to steal Instant Messenger accounts or passwords 51->163 165 Tries to steal Mail credentials (via file access) 51->165 signatures14 process15 dnsIp16 125 Writes to foreign memory regions 55->125 127 Allocates memory in foreign processes 55->127 129 Maps a DLL or memory area into another process 55->129 70 wTfsaJXrzP.exe 55->70         started        73 notepad.exe 55->73         started        75 wTfsaJXrzP.exe 55->75         started        131 Tries to steal Instant Messenger accounts or passwords 58->131 133 Tries to steal Mail credentials (via file access) 58->133 99 shanpak.com 62->99 77 wTfsaJXrzP.exe 62->77         started        80 wTfsaJXrzP.exe 62->80         started        87 C:\Users\user\AppData\Roaming\...\.,..vbs, ASCII 65->87 dropped file17 signatures18 process19 dnsIp20 95 shanpak.com 70->95 82 wTfsaJXrzP.exe 70->82         started        85 wTfsaJXrzP.exe 70->85         started        167 Tries to steal Instant Messenger accounts or passwords 77->167 169 Tries to steal Mail credentials (via file access) 77->169 171 Tries to harvest and steal browser information (history, passwords, etc) 80->171 signatures21 process22 signatures23 101 Tries to steal Instant Messenger accounts or passwords 82->101 103 Tries to steal Mail credentials (via file access) 82->103
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d8446f1830a6a01787788c3e3348ad30d2f29eab13f9ec4f5974d947a3a0f76/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 15:57:56 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwcen4mdbjvac6dxrdb6gnek2mgs6kpkwe7z5rhvs5gzi6r2b53a._file
Verdict:
malicious
Similar samples:
2fa257b3457501af1b8f73df993a0426cf7f48ae3c092fb8543faf4e5e99dce9
ISRStealer
64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
ISRStealer
973c6ca52f1749604a7ba4aeeb65e2e3ea610707651dd637199249bf4ba0b6ea
ISRStealer
99e8e8f1ec69e184c986d1c35deb49f85df828936c933120edf58906c814ca53
ISRStealer
9fdaeab4153639b870fcb0522b1e0801aceb515e51b20603a1413086a82825bf
ISRStealer
deded63af4667df3096566d615f3bf6d7d908e189ae4689efdc777f441917974
ISRStealer
e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497
ISRStealer
e81b7365448d43584265f438b0291abdc8985c12f8b27246e8424ef941995f10
ISRStealer
f0e180d5a00ca5ab5c375261bd3b986b3ef7b5474fb5935b64caa7f02fb02148
ISRStealer
f8f3791ef07c0c58418b4f78c75675c70ac55e47912be15468caa338b214aea1
ISRStealer
+ 394 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware upx
Link:
https://tria.ge/reports/201113-b63fx9s5wj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
3d8446f1830a6a01787788c3e3348ad30d2f29eab13f9ec4f5974d947a3a0f76
MD5 hash:
71f119694ecebddd6968fb07e65ed4a9
SHA1 hash:
7c998738a22b886f249d02044123ecbee524f225
Link:
https://www.unpac.me/results/117c6db8-ae52-47a1-8bd3-d1daad5db368/
SH256 hash:
715472bbb65283ee8269de8b2d5f3c3284e52b5bd8022d59b87111db51be4d61
MD5 hash:
e78ad5a835a4423ddb8a1944204f21f5
SHA1 hash:
9f20909a5c25f4358e82180f3345ad974e983097
Link:
https://www.unpac.me/results/117c6db8-ae52-47a1-8bd3-d1daad5db368/
SH256 hash:
18c57887ca0c3d185988c82e642f9c4f07d2f7de5e69fee4f2aa897db4bd3769
MD5 hash:
c59eccd9cee054f4a72d1524c9b7bfaa
SHA1 hash:
d7bc3828482b27ba9a7567861f6e8b0ec9d76226
Detections:
win_isr_stealer_a0
Create hunting rule
win_isr_stealer_auto
Create hunting rule
Link:
https://www.unpac.me/results/117c6db8-ae52-47a1-8bd3-d1daad5db368/
SH256 hash:
514a9019a2295d0bc365ae6a9aae6da0f47bacf9eabfbc4160ee4d483492ebb4
MD5 hash:
d2210cedcc6d793fa263fb0f27445210
SHA1 hash:
4ae729f6d9024e97632885941d8bfa0d4b2ec310
Link:
https://www.unpac.me/results/117c6db8-ae52-47a1-8bd3-d1daad5db368/
SH256 hash:
34e4a870213f0a360565cc7f22aa88f39068ff2ff1e5089e4ff571166eda90c9
MD5 hash:
0208c859f6da9e03bc54df7f006aa7e6
SHA1 hash:
3e98ce9290a931ab5fa015a92e5447152cf62920
Link:
https://www.unpac.me/results/117c6db8-ae52-47a1-8bd3-d1daad5db368/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d8446f1830a6a01787788c3e3348ad30d2f29eab13f9ec4f5974d947a3a0f76

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments