MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ISRStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097
SHA3-384 hash: 3dc50dd832fa3f7949cabbdf09e25bcaef11bd4e6ccad5f07bdeeff6d8e791f6c75e25eded6a9d018f7065429ede8c67
SHA1 hash: 05224683315e5bd369459a0261627f04e2e49c31
MD5 hash: 9b2179379bb6e1db0736ff6f0d1802d7
humanhash: shade-uranus-utah-neptune
File name:Halkbank,pdf.exe
Download: download sample
Signature ISRStealer
Create hunting rule
File size:792'576 bytes
First seen:2023-09-21 14:48:59 UTC
Last seen:2023-09-22 22:20:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cb753eacb4bd6e85a17295611a902842 (1 x ISRStealer)
ssdeep 12288:NGDOji83jDZJ0CbJOOBgVIjPLPEZkckxpG1QcA3HxiffSogx8E9k8BJQ:wCF3j9GeJOVVIjTxlL3AffSoU8+k8o
Threatray 597 similar samples on MalwareBazaar
TLSH T1C5F4C072B2A04837D123D63D9C5B976C993BFD103D28998F6BF51C0C6F3964139AA293
TrID 35.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
32.8% (.SCR) Windows screen saver (13097/50/3)
11.2% (.EXE) Win32 Executable (generic) (4505/5/1)
5.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter nobody
Tags:exe Info stealers ISRStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
280
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
ISRStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450410/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.40567.28716.12062.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Reading critical registry keys
Creating a file in the %temp% directory
DNS request
Searching for the window
Stealing user critical data
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin packed
Link:
https://www.filescan.io/uploads/650c57df0870810f0183c41e/reports/9a1ec6d6-7be6-4d4b-b967-9f1420b73dd2/overview
Verdict:
Malicious
Labled as:
Trojan.Agent.Delf
Link:
https://www.hybrid-analysis.com/sample/78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30e2f771-0b9b-4543-8751-1fcf72cb7d22
Result
Threat name:
ISRStealer, MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312397
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected ISRStealer
Yara detected MailPassView
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2017-11-06 09:12:28 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pdo2cgo5yo3xbfiat42xqcpdiun3rf7fcbjwagyqrcxfyymusclq._file
Verdict:
malicious
Similar samples:
556eb256ac26f32787bf8d8b54980b1ba50b93b3736683e59b26398a1f42820f
ISRStealer
64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
ISRStealer
6949bcc511a2d28107608c295401bf29732355c3ab2bf2b451fdbe652938c3b9
ISRStealer
8ede03b20c5b4ef52e213ef63d0470ed9a71caa0435a0a4bb4a6b95903cfdd76
ISRStealer
973c6ca52f1749604a7ba4aeeb65e2e3ea610707651dd637199249bf4ba0b6ea
ISRStealer
99e8e8f1ec69e184c986d1c35deb49f85df828936c933120edf58906c814ca53
ISRStealer
9fdaeab4153639b870fcb0522b1e0801aceb515e51b20603a1413086a82825bf
ISRStealer
e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497
ISRStealer
f0e180d5a00ca5ab5c375261bd3b986b3ef7b5474fb5935b64caa7f02fb02148
ISRStealer
f8f3791ef07c0c58418b4f78c75675c70ac55e47912be15468caa338b214aea1
ISRStealer
+ 587 additional samples on MalwareBazaar
Result
Malware family:
isrstealer
Create hunting rule
Score:
  10/10
Tags:
family:isrstealer collection spyware stealer trojan upx
Link:
https://tria.ge/reports/230921-r6z91sgg6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Reads user/profile data of web browsers
UPX packed file
NirSoft MailPassView
Nirsoft
ISR Stealer
ISR Stealer payload
Unpacked files
SH256 hash:
68d2b3836067785a5cd49d5865600be455910d785d5804bd95712ad45ca570bd
MD5 hash:
5c2e3e961e093aee9a10910a9319a779
SHA1 hash:
7fd994ac92f1b9ef5179446539087bed0c266380
Detections:
NirSoftMailPassView
Create hunting rule
Link:
https://www.unpac.me/results/c08a08d1-0f66-4457-a9c2-0f5e56e581c4/
Parent samples :
78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097
4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7
e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d
2107230497983a8313e0776ee14087ec2e7b9ebf63f39378f3d29846b7492f27
SH256 hash:
34e4a870213f0a360565cc7f22aa88f39068ff2ff1e5089e4ff571166eda90c9
MD5 hash:
0208c859f6da9e03bc54df7f006aa7e6
SHA1 hash:
3e98ce9290a931ab5fa015a92e5447152cf62920
Link:
https://www.unpac.me/results/c08a08d1-0f66-4457-a9c2-0f5e56e581c4/
SH256 hash:
715472bbb65283ee8269de8b2d5f3c3284e52b5bd8022d59b87111db51be4d61
MD5 hash:
e78ad5a835a4423ddb8a1944204f21f5
SHA1 hash:
9f20909a5c25f4358e82180f3345ad974e983097
Link:
https://www.unpac.me/results/c08a08d1-0f66-4457-a9c2-0f5e56e581c4/
SH256 hash:
44b25faf5fd979026b4d45bc46ece609f07b1d6a9d571a788e83e604a6946b79
MD5 hash:
1e98c00d2ee2d48f7a46ac8e5757b05b
SHA1 hash:
20477701537434bda1eb177aa2a1b748822527bd
Detections:
win_isr_stealer_auto
Create hunting rule
win_isr_stealer_a0
Create hunting rule
Link:
https://www.unpac.me/results/c08a08d1-0f66-4457-a9c2-0f5e56e581c4/
SH256 hash:
78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097
MD5 hash:
9b2179379bb6e1db0736ff6f0d1802d7
SHA1 hash:
05224683315e5bd369459a0261627f04e2e49c31
Link:
https://www.unpac.me/results/c08a08d1-0f66-4457-a9c2-0f5e56e581c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/450410/

Comments