MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ISRStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497
SHA3-384 hash: 0b197fb368034e33b6e298dbd2b258207cd177ab9df1d0302ec254e75a83de2cec84dc904e6a31ad72c8e579facf1cf4
SHA1 hash: fa02ffb18572cf06aedff51e0502c1b7f0182eb3
MD5 hash: cbc2d6f19dba0ecb1b317a8b22907296
humanhash: michigan-nuts-bulldog-delta
File name:HBL SCAN03-XML.eml.exe
Download: download sample
Signature ISRStealer
Create hunting rule
File size:995'840 bytes
First seen:2020-11-06 17:33:01 UTC
Last seen:2020-11-09 06:33:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cea15fcbfd6616496bbe80d9d9d0796 (26 x Loki, 25 x AgentTesla, 10 x ISRStealer)
ssdeep 24576:qVMHwG0ON514iuyWEpajRsRgHPm3YED0v8fS:qVtGXrGi/hpajRfmIgfS
Threatray 515 similar samples on MalwareBazaar
TLSH B525AE22ADB14837C4233678DC1B5A689F36BF313924A9862BFD3D0F5F396457825293
Reporter abuse_ch
Tags:exe ISRStealer


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: jktd3khmail02v.cloudkilat.me
Sending IP: 103.43.47.239
From: Muhammad Imran Younas <contact@lesalignon.com>
Subject: HBL# KHI0021448 SHIPMENT
Attachment: HBL SCAN03-XML.eml.zip (contains "HBL SCAN03-XML.eml.exe")

Intelligence

File Origin
# of uploads :
21
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
DNS request
Connection attempt
Deleting a recently created file
Searching for the window
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
ISRStealer MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523583
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Passes username and password via HTTP get
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected ISRStealer
Yara detected MailPassView
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 310894 Sample: HBL SCAN03-XML.eml.exe Startdate: 07/11/2020 Architecture: WINDOWS Score: 100 83 spia-indonesia.org 2->83 97 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Detected unpacking (changes PE section rights) 2->101 103 8 other signatures 2->103 11 HBL SCAN03-XML.eml.exe 2->11         started        14 wscript.exe 1 2->14         started        signatures3 process4 signatures5 137 Writes to foreign memory regions 11->137 139 Allocates memory in foreign processes 11->139 141 Maps a DLL or memory area into another process 11->141 143 Queues an APC in another process (thread injection) 11->143 16 HBL SCAN03-XML.eml.exe 11->16         started        18 HBL SCAN03-XML.eml.exe 12 11->18         started        22 notepad.exe 1 11->22         started        24 notepad.exe 11->24 injected 26 HBL SCAN03-XML.eml.exe 14->26         started        process6 dnsIp7 28 HBL SCAN03-XML.eml.exe 16->28         started        85 spia-indonesia.org 202.52.146.120, 443, 49720, 49721 GMEDIA-AS-IDGlobalMediaTeknologiPTID Indonesia 18->85 105 Injects a PE file into a foreign processes 18->105 31 HBL SCAN03-XML.eml.exe 1 18->31         started        33 HBL SCAN03-XML.eml.exe 1 18->33         started        107 Drops VBS files to the startup folder 22->107 109 Delayed program exit found 22->109 111 Writes to foreign memory regions 26->111 113 Allocates memory in foreign processes 26->113 115 Maps a DLL or memory area into another process 26->115 35 HBL SCAN03-XML.eml.exe 26->35         started        37 HBL SCAN03-XML.eml.exe 13 26->37         started        40 notepad.exe 1 26->40         started        signatures8 process9 dnsIp10 145 Writes to foreign memory regions 28->145 147 Allocates memory in foreign processes 28->147 149 Maps a DLL or memory area into another process 28->149 42 HBL SCAN03-XML.eml.exe 28->42         started        44 HBL SCAN03-XML.eml.exe 13 28->44         started        48 notepad.exe 1 28->48         started        151 Tries to steal Instant Messenger accounts or passwords 31->151 153 Tries to steal Mail credentials (via file access) 31->153 50 HBL SCAN03-XML.eml.exe 35->50         started        87 spia-indonesia.org 37->87 52 HBL SCAN03-XML.eml.exe 37->52         started        54 HBL SCAN03-XML.eml.exe 37->54         started        signatures11 process12 dnsIp13 56 HBL SCAN03-XML.eml.exe 42->56         started        91 spia-indonesia.org 44->91 93 192.168.2.1 unknown unknown 44->93 155 Injects a PE file into a foreign processes 44->155 59 HBL SCAN03-XML.eml.exe 44->59         started        61 HBL SCAN03-XML.eml.exe 44->61         started        157 Writes to foreign memory regions 50->157 159 Allocates memory in foreign processes 50->159 161 Maps a DLL or memory area into another process 50->161 63 HBL SCAN03-XML.eml.exe 50->63         started        66 notepad.exe 50->66         started        68 HBL SCAN03-XML.eml.exe 50->68         started        163 Tries to steal Instant Messenger accounts or passwords 52->163 165 Tries to steal Mail credentials (via file access) 52->165 signatures14 process15 dnsIp16 123 Writes to foreign memory regions 56->123 125 Allocates memory in foreign processes 56->125 127 Maps a DLL or memory area into another process 56->127 70 HBL SCAN03-XML.eml.exe 56->70         started        74 notepad.exe 56->74         started        77 HBL SCAN03-XML.eml.exe 56->77         started        129 Tries to steal Instant Messenger accounts or passwords 59->129 131 Tries to steal Mail credentials (via file access) 59->131 95 spia-indonesia.org 63->95 133 Sample uses process hollowing technique 63->133 135 Injects a PE file into a foreign processes 63->135 79 HBL SCAN03-XML.eml.exe 63->79         started        signatures17 process18 dnsIp19 89 spia-indonesia.org 70->89 117 Sample uses process hollowing technique 70->117 119 Injects a PE file into a foreign processes 70->119 81 C:\Users\user\AppData\Roaming\...\....vbs, ASCII 74->81 dropped 121 Tries to harvest and steal browser information (history, passwords, etc) 79->121 file20 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 13:33:27 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kccztfcvigqvu4xv5uhsnxqtsaz6qzjyur26jr6ybmaao54qslq._file
Verdict:
malicious
Similar samples:
012a8b58a7e5e04737ee8c5c004e1272b98e0dcf8bcb025f1573e63de8b2f7e9
ISRStealer
0d851cea1f67f96084284555592a8b7037595b8cde621342489c7d52efccc8f2
ISRStealer
64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
ISRStealer
7e6dc9928e049d75cd726d8542b39cf46afef0cfd37c8dcb968ea618aedbb696
ISRStealer
829b61183bd6535cd7f8ecaa211cc2ebbbef3fd8124acea0ccdd8b8572524ee2
ISRStealer
973c6ca52f1749604a7ba4aeeb65e2e3ea610707651dd637199249bf4ba0b6ea
ISRStealer
99e8e8f1ec69e184c986d1c35deb49f85df828936c933120edf58906c814ca53
ISRStealer
9fdaeab4153639b870fcb0522b1e0801aceb515e51b20603a1413086a82825bf
ISRStealer
dbf19db7d0a4b842c4652e84edf70acbf1e1d2a9bd50403ba8fa0cd5abbba587
ISRStealer
f0e180d5a00ca5ab5c375261bd3b986b3ef7b5474fb5935b64caa7f02fb02148
ISRStealer
+ 505 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware upx
Link:
https://tria.ge/reports/201106-kzlpe16k3x/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497
MD5 hash:
cbc2d6f19dba0ecb1b317a8b22907296
SHA1 hash:
fa02ffb18572cf06aedff51e0502c1b7f0182eb3
Link:
https://www.unpac.me/results/0fbf0f0d-aa19-4a5e-95fe-c22cc25658a8/
SH256 hash:
033fccb8ce16707c5c794d482504af895e94bde3b33be0017d201334337b5be2
MD5 hash:
d0e1f324897a26d742c8277178f48144
SHA1 hash:
e504d1ca8d2083a4d1e38268f07f246c6f3975e2
Detections:
win_isr_stealer_a0
Create hunting rule
win_isr_stealer_auto
Create hunting rule
Link:
https://www.unpac.me/results/0fbf0f0d-aa19-4a5e-95fe-c22cc25658a8/
SH256 hash:
715472bbb65283ee8269de8b2d5f3c3284e52b5bd8022d59b87111db51be4d61
MD5 hash:
e78ad5a835a4423ddb8a1944204f21f5
SHA1 hash:
9f20909a5c25f4358e82180f3345ad974e983097
Link:
https://www.unpac.me/results/0fbf0f0d-aa19-4a5e-95fe-c22cc25658a8/
SH256 hash:
34e4a870213f0a360565cc7f22aa88f39068ff2ff1e5089e4ff571166eda90c9
MD5 hash:
0208c859f6da9e03bc54df7f006aa7e6
SHA1 hash:
3e98ce9290a931ab5fa015a92e5447152cf62920
Link:
https://www.unpac.me/results/0fbf0f0d-aa19-4a5e-95fe-c22cc25658a8/
SH256 hash:
68d2b3836067785a5cd49d5865600be455910d785d5804bd95712ad45ca570bd
MD5 hash:
5c2e3e961e093aee9a10910a9319a779
SHA1 hash:
7fd994ac92f1b9ef5179446539087bed0c266380
Link:
https://www.unpac.me/results/0fbf0f0d-aa19-4a5e-95fe-c22cc25658a8/
Parent samples :
78dda119ddc3b77095009f357809e3451bb897e51053601b1088ae5c61949097
4f619c7b4f54dd6ed7833880c8600334c42084a20c73d9b76973d45202a734c7
e116864cc4443f4179cd0938dd0ef49a4217e66ca3534d4d96bdd0d54f17ff0d
2107230497983a8313e0776ee14087ec2e7b9ebf63f39378f3d29846b7492f27
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ISRStealer

zip d6153d2cc6424424159b7d2093e6e388bd18db1effe60ce36cebf61f0382bc77

ISRStealer

Executable exe e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497

(this sample)

  
Dropped by
MD5 4fa12fc162acc3eadbdbbf970075f5f6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d6153d2cc6424424159b7d2093e6e388bd18db1effe60ce36cebf61f0382bc77

Comments