MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deded63af4667df3096566d615f3bf6d7d908e189ae4689efdc777f441917974. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ISRStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deded63af4667df3096566d615f3bf6d7d908e189ae4689efdc777f441917974
SHA3-384 hash: e4d56c2a7d9325ae3246bb39880df37cd05e33dfdd97e61f53da85f77ea239b3e6639c14461f350d3ebacc2f4c944e03
SHA1 hash: edfc777eaed6e894b9e7b891e56488fe628f3119
MD5 hash: 6d3266d7a38bb96794e8f245ce253c0d
humanhash: virginia-uranus-whiskey-indigo
File name:deded63af4667df3096566d615f3bf6d7d908e189ae4689efdc777f441917974
Download: download sample
Signature ISRStealer
Create hunting rule
File size:995'328 bytes
First seen:2020-11-12 14:38:36 UTC
Last seen:2024-07-24 22:13:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cea15fcbfd6616496bbe80d9d9d0796 (26 x Loki, 25 x AgentTesla, 10 x ISRStealer)
ssdeep 24576:01KMSJwgt+6ygZ5zsJwu6jSiak2wbJDX8PGc3s/:01RSJtt+Ba5Qyu6jXOwtPe8
Threatray 395 similar samples on MalwareBazaar
TLSH FB25AF22ADA05837D563363DCC0B5BA49F25BF313924A9862BFD3D0F5F79A407825293
Reporter seifreed
Tags:ISRStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Eyqd-9789766-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
DNS request
Connection attempt
Deleting a recently created file
Searching for the window
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ISRStealer MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/533414
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Early bird code injection technique detected
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Passes username and password via HTTP get
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected ISRStealer
Yara detected MailPassView
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 315811 Sample: 5KNIJTZitX Startdate: 13/11/2020 Architecture: WINDOWS Score: 100 97 spia-indonesia.org 2->97 111 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->111 113 Multi AV Scanner detection for submitted file 2->113 115 Yara detected ISRStealer 2->115 117 4 other signatures 2->117 12 5KNIJTZitX.exe 2->12         started        15 wscript.exe 1 2->15         started        signatures3 process4 signatures5 175 Detected unpacking (changes PE section rights) 12->175 177 Detected unpacking (overwrites its own PE header) 12->177 179 Tries to steal Mail credentials (via file registry) 12->179 181 5 other signatures 12->181 17 5KNIJTZitX.exe 12->17         started        19 5KNIJTZitX.exe 14 12->19         started        22 notepad.exe 1 12->22         started        25 5KNIJTZitX.exe 15->25         started        process6 dnsIp7 27 5KNIJTZitX.exe 17->27         started        99 spia-indonesia.org 202.52.146.120, 49721, 49723, 49725 GMEDIA-AS-IDGlobalMediaTeknologiPTID Indonesia 19->99 30 5KNIJTZitX.exe 19->30         started        33 5KNIJTZitX.exe 1 19->33         started        35 notepad.exe 19->35         started        38 5KNIJTZitX.exe 1 19->38         started        129 Drops VBS files to the startup folder 22->129 131 Delayed program exit found 22->131 133 Writes to foreign memory regions 25->133 135 Allocates memory in foreign processes 25->135 137 Maps a DLL or memory area into another process 25->137 40 5KNIJTZitX.exe 25->40         started        42 5KNIJTZitX.exe 14 25->42         started        44 notepad.exe 1 25->44         started        signatures8 process9 dnsIp10 145 Writes to foreign memory regions 27->145 147 Allocates memory in foreign processes 27->147 149 Maps a DLL or memory area into another process 27->149 46 5KNIJTZitX.exe 27->46         started        48 5KNIJTZitX.exe 14 27->48         started        51 notepad.exe 1 27->51         started        107 spia-indonesia.org 30->107 151 Sample uses process hollowing technique 30->151 153 Tries to steal Instant Messenger accounts or passwords 33->153 155 Tries to steal Mail credentials (via file access) 33->155 93 C:\Users\user\AppData\Roaming\...\.....vbs, ASCII 35->93 dropped 53 5KNIJTZitX.exe 40->53         started        109 spia-indonesia.org 42->109 157 Injects a PE file into a foreign processes 42->157 56 5KNIJTZitX.exe 42->56         started        58 5KNIJTZitX.exe 42->58         started        file11 signatures12 process13 dnsIp14 60 5KNIJTZitX.exe 46->60         started        95 spia-indonesia.org 48->95 63 5KNIJTZitX.exe 48->63         started        65 5KNIJTZitX.exe 48->65         started        119 Writes to foreign memory regions 53->119 121 Allocates memory in foreign processes 53->121 123 Maps a DLL or memory area into another process 53->123 67 5KNIJTZitX.exe 53->67         started        70 5KNIJTZitX.exe 53->70         started        72 notepad.exe 53->72         started        125 Tries to steal Instant Messenger accounts or passwords 56->125 127 Tries to steal Mail credentials (via file access) 56->127 signatures15 process16 dnsIp17 183 Writes to foreign memory regions 60->183 185 Allocates memory in foreign processes 60->185 187 Maps a DLL or memory area into another process 60->187 74 5KNIJTZitX.exe 60->74         started        78 notepad.exe 60->78         started        80 5KNIJTZitX.exe 60->80         started        189 Tries to steal Instant Messenger accounts or passwords 63->189 191 Tries to steal Mail credentials (via file access) 63->191 101 spia-indonesia.org 67->101 103 192.168.2.1 unknown unknown 67->103 193 Injects a PE file into a foreign processes 67->193 82 5KNIJTZitX.exe 67->82         started        84 5KNIJTZitX.exe 67->84         started        86 5KNIJTZitX.exe 70->86         started        signatures18 process19 dnsIp20 105 spia-indonesia.org 74->105 159 Early bird code injection technique detected 74->159 161 Sample uses process hollowing technique 74->161 163 Injects a PE file into a foreign processes 74->163 88 5KNIJTZitX.exe 74->88         started        91 5KNIJTZitX.exe 74->91         started        165 Tries to steal Instant Messenger accounts or passwords 82->165 167 Tries to steal Mail credentials (via file access) 82->167 169 Writes to foreign memory regions 86->169 171 Allocates memory in foreign processes 86->171 173 Maps a DLL or memory area into another process 86->173 signatures21 process22 signatures23 139 Tries to steal Instant Messenger accounts or passwords 88->139 141 Tries to steal Mail credentials (via file access) 88->141 143 Tries to harvest and steal browser information (history, passwords, etc) 91->143
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/deded63af4667df3096566d615f3bf6d7d908e189ae4689efdc777f441917974/
Threat name:
Win32.Infostealer.Chisburg
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 14:41:47 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=33pnmoxumz67gclfm3lbl457nv6zbdqytlsgrhx5y537iqmrpf2a._file
Verdict:
malicious
Similar samples:
2fa257b3457501af1b8f73df993a0426cf7f48ae3c092fb8543faf4e5e99dce9
ISRStealer
40555b0914b99c9e150e1bf415f051cccefde624c6677c6e4cd58a74ebd83512
ISRStealer
4160539b2a33925fa7937131a22d9b814e0be15026be9c416b323e704e49be12
ISRStealer
64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
ISRStealer
99e8e8f1ec69e184c986d1c35deb49f85df828936c933120edf58906c814ca53
ISRStealer
9f176d02e8b82e189b13f8c947e59973efb2115639f7e21187fe7e419d01c9c2
ISRStealer
9fdaeab4153639b870fcb0522b1e0801aceb515e51b20603a1413086a82825bf
ISRStealer
e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497
ISRStealer
f0e180d5a00ca5ab5c375261bd3b986b3ef7b5474fb5935b64caa7f02fb02148
ISRStealer
f8f3791ef07c0c58418b4f78c75675c70ac55e47912be15468caa338b214aea1
ISRStealer
+ 385 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware upx
Link:
https://tria.ge/reports/201112-2tnp83pnza/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
deded63af4667df3096566d615f3bf6d7d908e189ae4689efdc777f441917974
MD5 hash:
6d3266d7a38bb96794e8f245ce253c0d
SHA1 hash:
edfc777eaed6e894b9e7b891e56488fe628f3119
Link:
https://www.unpac.me/results/a4e722ad-5361-4174-bb26-d0a7e07601e4/
SH256 hash:
715472bbb65283ee8269de8b2d5f3c3284e52b5bd8022d59b87111db51be4d61
MD5 hash:
e78ad5a835a4423ddb8a1944204f21f5
SHA1 hash:
9f20909a5c25f4358e82180f3345ad974e983097
Link:
https://www.unpac.me/results/a4e722ad-5361-4174-bb26-d0a7e07601e4/
SH256 hash:
e0eade57b828cdf5a7e4864129dee85ec85ecd481b43655b55b299d5686dece3
MD5 hash:
23d7d52e6c40ccfe5626efe2c1bc161c
SHA1 hash:
fc1ec7a44a7289ae9dc9d7245b493c412c80340d
Detections:
win_isr_stealer_a0
Create hunting rule
win_isr_stealer_auto
Create hunting rule
Link:
https://www.unpac.me/results/a4e722ad-5361-4174-bb26-d0a7e07601e4/
SH256 hash:
68a3a521ed091eefd7c7bc670adc7e244e0d9510eaa5898246eae542f00a41c8
MD5 hash:
bb5f7746bf823c4edb65fdad988b886c
SHA1 hash:
618c34480e38132adb744e6a3f1b0dd2ca791316
Link:
https://www.unpac.me/results/a4e722ad-5361-4174-bb26-d0a7e07601e4/
SH256 hash:
34e4a870213f0a360565cc7f22aa88f39068ff2ff1e5089e4ff571166eda90c9
MD5 hash:
0208c859f6da9e03bc54df7f006aa7e6
SHA1 hash:
3e98ce9290a931ab5fa015a92e5447152cf62920
Link:
https://www.unpac.me/results/a4e722ad-5361-4174-bb26-d0a7e07601e4/
SH256 hash:
68d2b3836067785a5cd49d5865600be455910d785d5804bd95712ad45ca570bd
MD5 hash:
5c2e3e961e093aee9a10910a9319a779
SHA1 hash:
7fd994ac92f1b9ef5179446539087bed0c266380
Link:
https://www.unpac.me/results/a4e722ad-5361-4174-bb26-d0a7e07601e4/
Parent samples :
78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097
4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7
e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d
2107230497983a8313e0776ee14087ec2e7b9ebf63f39378f3d29846b7492f27
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments