MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ISRStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 10 File information Comments

SHA256 hash:	e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d
SHA3-384 hash:	dd8a42dd0fdb1595f3825c1c83dc632c4105aed79dc0d41b91c1423d5481ddc295c5a39156f5b0940eb6294a8d7c1235
SHA1 hash:	177ef72837380cff667111373695138decc972f3
MD5 hash:	8c57dda2b134801321a87c65cfb4fd85
humanhash:	seventeen-east-dakota-mars
File name:	Halkbank Ekstresi_910036577921.pdf.exe
Download:	download sample
Signature	ISRStealer Create hunting rule
File size:	883'952 bytes
First seen:	2023-09-22 22:19:32 UTC
Last seen:	2023-09-22 22:19:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep	24576:P2O/GlsQSLG/5vEprm6QTkw7g6zwm4m53Sb2xIJ:GSLLmJkw5kFm53SyxIJ
TLSH	T14C152303B3C848B5EB9351712DBE2B9BC978F134517CA68AFB111A1E7E16183C617B63
TrID	77.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 9.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 3.8% (.SCR) Windows screen saver (13097/50/3) 3.0% (.EXE) Win64 Executable (generic) (10523/12/4) 1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	8e132564289c9c29 (1 x ISRStealer)
Reporter	nobody
Tags:	exe infostealler ISRStealer

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Halkbank Ekstresi_910036577921.pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-09-22 22:19:56 UTC

Tags:

autoit stealer

Link:

https://app.any.run/tasks/506ade78-e1bb-4b99-991e-a1c67e4bcb2e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

ISRStealer

Link:

https://www.capesandbox.com/analysis/450680/

Detection(s):

Win.Dropper.DarkKomet-9878589-0

Win.Dropper.Formbook-9882456-0

Win.Dropper.Remcos-9884151-0

SecuriteInfo.com.FakeAV.AOMC.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Delayed reading of the file

Creating a process from a recently created file

Enabling the 'hidden' option for files in the %temp% directory

Launching a process

Launching the default Windows debugger (dwwin.exe)

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

91%

Tags:

autoit control crypto greyware keylogger lolbin masquerade overlay packed packed replace shell32 virus

Link:

https://www.filescan.io/uploads/650e131332ffdb7a7a109bf2/reports/28aaee92-9aaf-4529-ab82-19ca808f5117/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0126ae94-644f-43ac-9588-6de372b7671d

Result

Threat name:

ISRStealer, MailPassView

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1313145

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Contains functionality to modify clipboard data

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected AntiVM autoit script

Yara detected ISRStealer

Yara detected MailPassView

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d/

Threat name:

Win32.Spyware.Plimrost

Status:

Malicious

First seen:

2017-07-25 05:19:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 38 (73.68%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4elimtgeiq7uc6onbe4n2dxutjbbpztmunju2tmwxxinktyx74gq._file

Result

Malware family:

isrstealer

Score:

10/10

Tags:

family:isrstealer collection persistence stealer trojan upx

Link:

https://tria.ge/reports/230922-183btsce96/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

NirSoft MailPassView

Nirsoft

ISR Stealer payload

ISR Stealer

Unpacked files

SH256 hash:

c7d99677f71a935eb4bdf84c5caedc947e09fe23f60b143698eaed403369e7ff

MD5 hash:

a04b5a0e145f150e6d6e74365b12adb3

SHA1 hash:

daa1506ec8605257fb0def9161416f62e2cc797e

Link:

https://www.unpac.me/results/32e30a37-83fc-414c-b547-fc851edeeb72/

SH256 hash:

68d2b3836067785a5cd49d5865600be455910d785d5804bd95712ad45ca570bd

MD5 hash:

5c2e3e961e093aee9a10910a9319a779

SHA1 hash:

7fd994ac92f1b9ef5179446539087bed0c266380

Detections:

NirSoftMailPassView

Link:

https://www.unpac.me/results/32e30a37-83fc-414c-b547-fc851edeeb72/

Parent samples :

78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097
4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7
e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d
2107230497983a8313e0776ee14087ec2e7b9ebf63f39378f3d29846b7492f27

SH256 hash:

34e4a870213f0a360565cc7f22aa88f39068ff2ff1e5089e4ff571166eda90c9

MD5 hash:

0208c859f6da9e03bc54df7f006aa7e6

SHA1 hash:

3e98ce9290a931ab5fa015a92e5447152cf62920

Link:

https://www.unpac.me/results/32e30a37-83fc-414c-b547-fc851edeeb72/

SH256 hash:

715472bbb65283ee8269de8b2d5f3c3284e52b5bd8022d59b87111db51be4d61

MD5 hash:

e78ad5a835a4423ddb8a1944204f21f5

SHA1 hash:

9f20909a5c25f4358e82180f3345ad974e983097

Link:

https://www.unpac.me/results/32e30a37-83fc-414c-b547-fc851edeeb72/

SH256 hash:

5e191a8d02ec8719a816b0ae88d2c08a87b28d3914b6fad7fadc0c9d2590921b

MD5 hash:

baa24d736fbc45c5eb81b638d7c30431

SHA1 hash:

5f538774c65b3be84e31363409d6ead34d7db71c

Detections:

win_isr_stealer_auto

win_isr_stealer_a0

Link:

https://www.unpac.me/results/32e30a37-83fc-414c-b547-fc851edeeb72/

SH256 hash:

492ce452f0d14c1e4f31e5413834c81881b69c6c01325a1a2a623376699b03fe

MD5 hash:

966bc4b065f3a4737fe04cb2d575eb1b

SHA1 hash:

f6940373a64974e061d45d57c4a172e48e4db2dd

Link:

https://www.unpac.me/results/32e30a37-83fc-414c-b547-fc851edeeb72/

SH256 hash:

e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d

MD5 hash:

8c57dda2b134801321a87c65cfb4fd85

SHA1 hash:

177ef72837380cff667111373695138decc972f3

Link:

https://www.unpac.me/results/32e30a37-83fc-414c-b547-fc851edeeb72/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e116864cc444/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_ISRStealer Create hunting rule
Author:	ditekSHen
Description:	ISRStealer payload

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

Rule name:	win_isr_stealer_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.isr_stealer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/450680/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample