MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 973c6ca52f1749604a7ba4aeeb65e2e3ea610707651dd637199249bf4ba0b6ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ISRStealer


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 973c6ca52f1749604a7ba4aeeb65e2e3ea610707651dd637199249bf4ba0b6ea
SHA3-384 hash: 9565262439045cf8c39e79de67f76af53e608b785a4a823663c2a0a4652021fce6f6760247c3687f3fd8f69f4ec7e3cd
SHA1 hash: 333faf67223ef23d38c2aea5c752e55f4586bfeb
MD5 hash: 5d27a65d7b351dab1b3f7c8b69977c94
humanhash: kitten-purple-batman-skylark
File name:gggggggg.exe
Download: download sample
Signature ISRStealer
Create hunting rule
File size:1'027'072 bytes
First seen:2020-06-25 09:33:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a29f4efb911c4906418600fd25679688 (11 x Loki, 10 x AgentTesla, 2 x HawkEye)
ssdeep 24576:v69dI9Dl7bPF4sm9dNdNByMEfAm0F4rz6W5SstZuKs:v696/ieAm0F7F
Threatray 382 similar samples on MalwareBazaar
TLSH 6C25AFE2F6A14437C1721A3B4C6B52F558297E10AD28A5463BE4DDCC8FFB2413835EA7
Reporter abuse_ch
Tags:exe ISRStealer


Avatar
abuse_ch
Malspam distributing ISRStealer:

HELO: seguramenteatelier.pt
Sending IP: 156.96.118.33
From: Procure@seguramenteatelier.pt
Reply-To: procure11@gmail.com
Subject: Urgent Supplies Needed
Attachment: sample quotation.zip (contains "gggggggg.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
ISRStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14125/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.10803.7096.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file in the %temp% directory
Sending an HTTP GET request
Deleting a recently created file
Searching for the window
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/973c6ca52f1749604a7ba4aeeb65e2e3ea610707651dd637199249bf4ba0b6ea/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s46gzjjpc5ewast3usxowzpc4pvgcbyhmuo5mnyzsje36s5aw3va._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
17fa709f1a866d573f997f8f1288d537de382cccc5a4f9c1811db9da34c016b2
ISRStealer
24fe76a4e6cd5623f2326d2f43de09b9b6f4de236e80ea5aca50b76da888c0af
ISRStealer
38701fe4b63d1436ba2e26cc7e268327299b58bcccbf074bfb2cbbcf57ceb2ea
ISRStealer
64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
ISRStealer
68101d145825fc980210f1f56638011d98eeaf5c53fb734b62a80dac6489f2e3
ISRStealer
944b633d92799fe6aeefae5de7945b6b0b69020ed669d9d7e68ebd80868771e6
ISRStealer
99e8e8f1ec69e184c986d1c35deb49f85df828936c933120edf58906c814ca53
ISRStealer
a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
ISRStealer
aee0158a9f836306b64e6c99e732073aa81fe23944c91a3d0fcf9a92508019ec
ISRStealer
f0e180d5a00ca5ab5c375261bd3b986b3ef7b5474fb5935b64caa7f02fb02148
ISRStealer
+ 372 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200625-183br4vl9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ISRStealer

zip f7f93e079c0b31b91af8397148831eaaf2d73be934a460959a69e8b064531fe0

ISRStealer

Executable exe 973c6ca52f1749604a7ba4aeeb65e2e3ea610707651dd637199249bf4ba0b6ea

(this sample)

  
Dropped by
MD5 2c55f588a608cd3c8fbdf2c604a3fc26
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14125/
  
Dropped by
SHA256 f7f93e079c0b31b91af8397148831eaaf2d73be934a460959a69e8b064531fe0

Comments