MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfe85b846350851dd4f83dfed498ae60f85d4129329c24d831567609c8ab553e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ISRStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfe85b846350851dd4f83dfed498ae60f85d4129329c24d831567609c8ab553e
SHA3-384 hash: b57ac6f047adc7575cc1caee4093e6c5edd650471a47cb1b47eeae75192ab5eb46c6a8d73ddd3aef7e283af00c35529c
SHA1 hash: 00cc3c01ce1a7d388f38974be703952d37ca054b
MD5 hash: 9b009661045ff096be3dca7bbb011fa7
humanhash: cat-july-november-bacon
File name:BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe
Download: download sample
Signature ISRStealer
Create hunting rule
File size:929'280 bytes
First seen:2021-08-02 04:35:28 UTC
Last seen:2021-08-02 05:51:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:VynVxDKBr1HugeYoNgaxvRM+O61nRlUUvqlqma4y24SCHevZr5In+++++++++++m:VqtMpuXXvRkuRCUvqlqma4y24SCHevZm
Threatray 910 similar samples on MalwareBazaar
TLSH T12115F13B3EAB679BD832A13844AB818246613F59CC93C5737B5EFF08A973159235701E
dhash icon 60e0b2eab3e0e071 (1 x ISRStealer)
Reporter abuse_ch
Tags:exe ISRStealer


Avatar
abuse_ch
ISRStealer C2:
http://www.bullseyecx.com.au/wp-admin/netflix/panel/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://www.bullseyecx.com.au/wp-admin/netflix/panel/gate.php https://threatfox.abuse.ch/ioc/165397/

Intelligence

File Origin
# of uploads :
2
# of downloads :
752
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe
Verdict:
Malicious activity
Analysis date:
2021-08-02 04:36:28 UTC
Tags:
trojan fareit pony stealer isrstealer
Link:
https://app.any.run/tasks/bf650898-328f-4bd3-a608-9a542825d2b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175617/
Detection(s):
SecuriteInfo.com.Trojan.Nanocore.23.21397.23957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Launching cmd.exe command interpreter
Reading critical registry keys
DNS request
Connection attempt
Creating a file in the %temp% directory
Sending an HTTP POST request
Sending a UDP request
Launching a process
Creating a window
Sending an HTTP GET request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Searching for the window
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6e07add-7c35-44fd-a4ad-814bce9b0b99
Result
Threat name:
Lokibot ISRStealer MailPassView Pony
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825228
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Lokibot Info Stealer
Detected unpacking (creates a PE file in dynamic memory)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Passes username and password via HTTP get
Pony trojan / infostealer detected
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses cmd line tools excessively to alter registry or file data
Yara detected aPLib compressed binary
Yara detected ISRStealer
Yara detected MailPassView
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457640 Sample: BFE85B846350851DD4F83DFED49... Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 134 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 Antivirus / Scanner detection for submitted sample 2->138 140 11 other signatures 2->140 10 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 5 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 1 2->15         started        process3 signatures4 156 Detected unpacking (creates a PE file in dynamic memory) 10->156 158 Tries to steal Mail credentials (via file registry) 10->158 160 Uses cmd line tools excessively to alter registry or file data 10->160 162 Injects a PE file into a foreign processes 10->162 17 cmd.exe 1 10->17         started        20 shit22.exe 1 14 10->20         started        23 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 17 10->23         started        33 9 other processes 10->33 25 cmd.exe 13->25         started        35 2 other processes 13->35 27 cmd.exe 15->27         started        29 conhost.exe 15->29         started        31 cmd.exe 15->31         started        process5 dnsIp6 124 Uses cmd line tools excessively to alter registry or file data 17->124 37 conhost.exe 17->37         started        40 reg.exe 1 1 17->40         started        110 www.bullseyecx.com.au 13.55.248.1, 443, 49711, 49714 AMAZON-02US United States 20->110 112 192.168.2.1 unknown unknown 20->112 126 Antivirus detection for dropped file 20->126 128 Multi AV Scanner detection for dropped file 20->128 130 Detected Lokibot Info Stealer 20->130 132 4 other signatures 20->132 42 cmd.exe 1 20->42         started        114 bullseyecx.com.au 23->114 44 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 1 23->44         started        46 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 23->46         started        48 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 25->48         started        51 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 27->51         started        53 conhost.exe 33->53         started        55 13 other processes 33->55 signatures7 process8 file9 148 Uses cmd line tools excessively to alter registry or file data 37->148 57 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 37->57         started        61 shit22.exe 37->61         started        69 5 other processes 37->69 63 conhost.exe 42->63         started        150 Tries to steal Instant Messenger accounts or passwords 44->150 152 Tries to steal Mail credentials (via file access) 44->152 71 2 other processes 46->71 106 C:\ProgramData\shit22.exe, PE32 48->106 dropped 108 C:\Users\user\AppData\Local\Temp\Update.txt, ASCII 48->108 dropped 154 Injects a PE file into a foreign processes 48->154 65 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 48->65         started        67 shit22.exe 48->67         started        73 3 other processes 48->73 75 2 other processes 53->75 signatures10 process11 dnsIp12 116 bullseyecx.com.au 57->116 77 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 57->77         started        79 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 57->79         started        118 www.bullseyecx.com.au 61->118 81 cmd.exe 61->81         started        120 bullseyecx.com.au 65->120 164 Injects a PE file into a foreign processes 65->164 83 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 65->83         started        86 BFE85B846350851DD4F83DFED498AE60F85D4129329C2.exe 65->86         started        122 www.bullseyecx.com.au 67->122 166 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 67->166 168 Tries to harvest and steal ftp login credentials 67->168 170 Tries to harvest and steal browser information (history, passwords, etc) 67->170 88 cmd.exe 67->88         started        90 conhost.exe 69->90         started        92 7 other processes 69->92 172 Uses cmd line tools excessively to alter registry or file data 73->172 94 6 other processes 73->94 signatures13 process14 signatures15 96 WerFault.exe 77->96         started        98 conhost.exe 81->98         started        142 Tries to steal Instant Messenger accounts or passwords 83->142 144 Tries to steal Mail credentials (via file access) 83->144 146 Tries to harvest and steal browser information (history, passwords, etc) 86->146 100 conhost.exe 88->100         started        102 conhost.exe 90->102         started        104 reg.exe 90->104         started        process16
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bfe85b846350851dd4f83dfed498ae60f85d4129329c24d831567609c8ab553e/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2018-05-11 12:30:54 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7ufxbddkccr3vhyhx7njgfomd4f2qjjgkocjwbrkz3atsflku7a._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
2fa257b3457501af1b8f73df993a0426cf7f48ae3c092fb8543faf4e5e99dce9
ISRStealer
3d8446f1830a6a01787788c3e3348ad30d2f29eab13f9ec4f5974d947a3a0f76
ISRStealer
64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
ISRStealer
8ad94dc5d59aa1e9962c76fd5ca042e582566049a97aef9f5730ba779e5ebb91
ISRStealer
a742c060fde260f8c469d5dea7354bc08eeb6b7811305fd833268d2012dd9540
ISRStealer
bbe18380fe7e4d7ffe4a57fc82795a5d56f838ffcc6ea1c98ec4be42e5a09e33
ISRStealer
d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5
ISRStealer
deded63af4667df3096566d615f3bf6d7d908e189ae4689efdc777f441917974
ISRStealer
e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497
ISRStealer
f0e180d5a00ca5ab5c375261bd3b986b3ef7b5474fb5935b64caa7f02fb02148
ISRStealer
+ 900 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:isrstealer family:pony discovery persistence rat spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/210802-ttggvgz9ce/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
NirSoft MailPassView
Nirsoft
ISR Stealer
ISR Stealer Payload
Pony,Fareit
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
suricata: ET MALWARE ISRStealer Checkin
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
Malware Config
C2 Extraction:
https://www.bullseyecx.com.au/wp-admin/netflix/panel/gate.php
Unpacked files
SH256 hash:
06848ca2b88d5a9c7af42b34a6c1b31872943532e57ee60b757c36970a9c058a
MD5 hash:
a155408ab6c24d8be364f3ebbb620776
SHA1 hash:
81a49af5e53e9edd153cf2b17efdbdf121487aac
Link:
https://www.unpac.me/results/736bef8b-9906-4490-b11b-17e492ca87e1/
SH256 hash:
34e4a870213f0a360565cc7f22aa88f39068ff2ff1e5089e4ff571166eda90c9
MD5 hash:
0208c859f6da9e03bc54df7f006aa7e6
SHA1 hash:
3e98ce9290a931ab5fa015a92e5447152cf62920
Link:
https://www.unpac.me/results/736bef8b-9906-4490-b11b-17e492ca87e1/
SH256 hash:
715472bbb65283ee8269de8b2d5f3c3284e52b5bd8022d59b87111db51be4d61
MD5 hash:
e78ad5a835a4423ddb8a1944204f21f5
SHA1 hash:
9f20909a5c25f4358e82180f3345ad974e983097
Link:
https://www.unpac.me/results/736bef8b-9906-4490-b11b-17e492ca87e1/
SH256 hash:
0a02725c8072917ca2f468e13511f715a4dbd38f2fa09077a28719ac275c7091
MD5 hash:
7784494ea98f6036acf27c28a198cb3b
SHA1 hash:
fd2b5125c9b127fe44b4dae1d9e2642c64dc5b07
Detections:
win_isr_stealer_a0
Create hunting rule
win_isr_stealer_auto
Create hunting rule
Link:
https://www.unpac.me/results/736bef8b-9906-4490-b11b-17e492ca87e1/
SH256 hash:
5ef1bc00fff0086ee1130948a2f1d100cbbe130383213d8efefc3a13faf95cf6
MD5 hash:
ef77193d01730fbea60cb75a74cef97b
SHA1 hash:
bf568620d1f23ec64e3bcac14d16ecd3a9ea29d1
Detections:
win_isr_stealer_a0
Create hunting rule
win_pony_g0
Create hunting rule
win_isr_stealer_auto
Create hunting rule
Link:
https://www.unpac.me/results/736bef8b-9906-4490-b11b-17e492ca87e1/
SH256 hash:
fd68f9eb93c8469bb54ead8e4639bc5429b4cb03f6d1b46ef59118fa9b5bd6ea
MD5 hash:
91261f580b98b49ceb3d04e9250c27a1
SHA1 hash:
3aa53d682b361156bf15ab3582493d60dc4449c9
Link:
https://www.unpac.me/results/736bef8b-9906-4490-b11b-17e492ca87e1/
SH256 hash:
aa2bac350cb4ffb2d3836159701cd421dbf2f4da816470adfd60691ab9f33a82
MD5 hash:
2ff7434e34f1c90433e2f7581d7875be
SHA1 hash:
23ebb13c84f5a8ea828dbb9e095a430b637274b6
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/736bef8b-9906-4490-b11b-17e492ca87e1/
SH256 hash:
bfe85b846350851dd4f83dfed498ae60f85d4129329c24d831567609c8ab553e
MD5 hash:
9b009661045ff096be3dca7bbb011fa7
SHA1 hash:
00cc3c01ce1a7d388f38974be703952d37ca054b
Link:
https://www.unpac.me/results/736bef8b-9906-4490-b11b-17e492ca87e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/bfe85b846350851dd4f83dfed498ae60f85d4129329c24d831567609c8ab553e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_ISRStealer
Create hunting rule
Author:ditekSHen
Description:ISRStealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_isr_stealer_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isr_stealer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175617/

Comments