MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ISRStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7
SHA3-384 hash:	7cc19225fab95f25587a4b948ef8b0d15c0398cd2b2d7aeea1f288f041fd9554e477c079e3433477c40bc316af48e462
SHA1 hash:	b5466d71f17fb9f454cee13a83faf7c1e2d0022d
MD5 hash:	04ce3268080cb301ad8202217685ca59
humanhash:	idaho-kitten-stairway-skylark
File name:	Halkbank,doc.exe
Download:	download sample
Signature	ISRStealer Create hunting rule
File size:	401'920 bytes
First seen:	2023-09-22 22:19:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:+/nedKoh5Y6yMYmWjBJlpeSzoD7O1CR3m:2gdh5NKtJD8PrR3m
TLSH	T1E684229E9FB4149DCD27E2F3AE6328A2C605BD0011A1A77D7EC6CC32B045DE4E6A3157
TrID	35.4% (.EXE) Win64 Executable (generic) (10523/12/4) 22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 6.9% (.ICL) Windows Icons Library (generic) (2059/9) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon	601e96173321a906 (1 x ISRStealer)
Reporter	nobody
Tags:	exe infostealler ISRStealer

Intelligence

File Origin

# of uploads :

# of downloads :

264

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Halkbank,doc.exe

Verdict:

Malicious activity

Analysis date:

2023-09-22 22:19:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cd506c22-d6ca-4df5-afd3-8757f0f36479

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450681/

Detection(s):

BC.Win.Packed.ConfuserEx-6428556-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Creating a file

Creating a window

Reading critical registry keys

Creating a file in the %temp% directory

Sending a custom TCP request

DNS request

Searching for the window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/650e131432ffdb7a7a109bf4/reports/16004d7c-867a-47fd-934e-41b64fee4be7/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NirSoft

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/5bb60cf4-ba4d-46df-877a-edef8c7d21c2

Result

Threat name:

ISRStealer, MailPassView

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1313144

Signature

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to modify clipboard data

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected ISRStealer

Yara detected MailPassView

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7/

Threat name:

ByteCode-MSIL.Spyware.Plimrost

Status:

Malicious

First seen:

2017-10-05 09:53:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j5qzy62pktow5v4dhcamqyadgtccbbfcbrz5tn3jopkfeavhgtdq._file

Result

Malware family:

isrstealer

Score:

10/10

Tags:

family:isrstealer collection spyware stealer trojan upx

Link:

https://tria.ge/reports/230922-183mlaaf2y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Reads user/profile data of web browsers

UPX packed file

NirSoft MailPassView

Nirsoft

ISR Stealer

ISR Stealer payload

Unpacked files

SH256 hash:

68d2b3836067785a5cd49d5865600be455910d785d5804bd95712ad45ca570bd

MD5 hash:

5c2e3e961e093aee9a10910a9319a779

SHA1 hash:

7fd994ac92f1b9ef5179446539087bed0c266380

Detections:

NirSoftMailPassView

Link:

https://www.unpac.me/results/f02bb189-54d5-40e2-b08c-f3b2f57ffca4/

Parent samples :

78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097
4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7
e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d
2107230497983a8313e0776ee14087ec2e7b9ebf63f39378f3d29846b7492f27

SH256 hash:

34e4a870213f0a360565cc7f22aa88f39068ff2ff1e5089e4ff571166eda90c9

MD5 hash:

0208c859f6da9e03bc54df7f006aa7e6

SHA1 hash:

3e98ce9290a931ab5fa015a92e5447152cf62920

Link:

https://www.unpac.me/results/f02bb189-54d5-40e2-b08c-f3b2f57ffca4/

SH256 hash:

715472bbb65283ee8269de8b2d5f3c3284e52b5bd8022d59b87111db51be4d61

MD5 hash:

e78ad5a835a4423ddb8a1944204f21f5

SHA1 hash:

9f20909a5c25f4358e82180f3345ad974e983097

Link:

https://www.unpac.me/results/f02bb189-54d5-40e2-b08c-f3b2f57ffca4/

SH256 hash:

c03752705a0fa78adbacdc64cb59de8a9185ee66274a2f7d681bc289d6e8ed42

MD5 hash:

1fd0248a8cc67517ccf0d9e2544c9bf0

SHA1 hash:

987a141308479e02e40bacf5882bd3b261a84030

Detections:

win_isr_stealer_auto

win_isr_stealer_a0

Link:

https://www.unpac.me/results/f02bb189-54d5-40e2-b08c-f3b2f57ffca4/

SH256 hash:

c816e84409f2b63ef4e64ccef87a7c5cd35ea6b96ad77edfdb718f22a49f557d

MD5 hash:

0de224eba7b63687eedcfdd79a0ba391

SHA1 hash:

db7bbdad8b8a113d4419dbc236e17ce6c3fc01a1

Detections:

win_isr_stealer_auto

Link:

https://www.unpac.me/results/f02bb189-54d5-40e2-b08c-f3b2f57ffca4/

SH256 hash:

85391a2ab402101c5f04af30f80b545006049d19eb5cc40c39731b45bc1b4dca

MD5 hash:

67226cf05a6d446f35ea5285a9d2cad0

SHA1 hash:

cedc19d930f504651f0f529550e79babca9f2f25

Link:

https://www.unpac.me/results/f02bb189-54d5-40e2-b08c-f3b2f57ffca4/

SH256 hash:

4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7

MD5 hash:

04ce3268080cb301ad8202217685ca59

SHA1 hash:

b5466d71f17fb9f454cee13a83faf7c1e2d0022d

Link:

https://www.unpac.me/results/f02bb189-54d5-40e2-b08c-f3b2f57ffca4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4f619c7b4f54/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/450681/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample