MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e81b7365448d43584265f438b0291abdc8985c12f8b27246e8424ef941995f10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ISRStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e81b7365448d43584265f438b0291abdc8985c12f8b27246e8424ef941995f10
SHA3-384 hash: 333af5dc97c8e36b28d44255ae3d96b7daa9f6c0f0c472a551671addfb474f8916ed776f28c406c45a3c4975acc7853a
SHA1 hash: aded3c149e3d45d5f7fd13347e26be196a2f9322
MD5 hash: 2c0cb2b1bad99f3d8859cfddc00c5d35
humanhash: earth-stream-hydrogen-mike
File name:BANK DETAILS_PDF.exe
Download: download sample
Signature ISRStealer
Create hunting rule
File size:994'304 bytes
First seen:2020-11-07 11:28:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cea15fcbfd6616496bbe80d9d9d0796 (26 x Loki, 25 x AgentTesla, 10 x ISRStealer)
ssdeep 12288:aVKdZyObtOG0OHttZpOohFSsymCpiuyWKNpaj31Nr4KtvM33PxfzFW3r0NTZUMV9:aVMHwG0ON514iuyWEpaj8Z/xfUr8UG
Threatray 555 similar samples on MalwareBazaar
TLSH E125AF62ADB04837C4633639DC1B5E686F26BF31392569862BFD3C0F5F396817825293
Reporter abuse_ch
Tags:exe ISRStealer


Avatar
abuse_ch
Malspam distributing ISRStealer:

HELO: prmail.shatel.com
Sending IP: 85.15.1.253
From: Accounts <a_nadakzadeh@ahvaz.shatel.ir>
Subject: Due Payment
Attachment: BANK DETAILS_PDF.gz (contains "BANK DETAILS_PDF.exe")

ISRStealer C2:
http://shanpak.com/wp-admin/PHP/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BackDoor.SpyBotNET.25.3911.4845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Sending a UDP request
Reading critical registry keys
Creating a file in the %temp% directory
DNS request
Sending an HTTP GET request
Deleting a recently created file
Searching for the window
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
ISRStealer MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523842
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Passes username and password via HTTP get
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected ISRStealer
Yara detected MailPassView
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 311016 Sample: BANK DETAILS_PDF.exe Startdate: 07/11/2020 Architecture: WINDOWS Score: 100 108 shanpak.com 2->108 132 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->132 134 Multi AV Scanner detection for submitted file 2->134 136 Detected unpacking (changes PE section rights) 2->136 138 9 other signatures 2->138 14 BANK DETAILS_PDF.exe 2->14         started        17 wscript.exe 1 2->17         started        signatures3 process4 signatures5 196 Writes to foreign memory regions 14->196 198 Allocates memory in foreign processes 14->198 200 Maps a DLL or memory area into another process 14->200 202 Queues an APC in another process (thread injection) 14->202 19 BANK DETAILS_PDF.exe 14->19         started        21 BANK DETAILS_PDF.exe 13 14->21         started        25 notepad.exe 1 14->25         started        27 BANK DETAILS_PDF.exe 17->27         started        process6 dnsIp7 29 BANK DETAILS_PDF.exe 19->29         started        110 shanpak.com 192.185.192.28, 49721, 49723, 49724 UNIFIEDLAYER-AS-1US United States 21->110 152 Injects a PE file into a foreign processes 21->152 32 BANK DETAILS_PDF.exe 1 21->32         started        34 BANK DETAILS_PDF.exe 21->34         started        154 Drops VBS files to the startup folder 25->154 156 Delayed program exit found 25->156 158 Writes to foreign memory regions 27->158 160 Allocates memory in foreign processes 27->160 162 Maps a DLL or memory area into another process 27->162 36 BANK DETAILS_PDF.exe 27->36         started        38 BANK DETAILS_PDF.exe 13 27->38         started        41 notepad.exe 1 27->41         started        signatures8 process9 dnsIp10 186 Maps a DLL or memory area into another process 29->186 43 BANK DETAILS_PDF.exe 29->43         started        45 BANK DETAILS_PDF.exe 13 29->45         started        48 notepad.exe 1 29->48         started        188 Tries to steal Instant Messenger accounts or passwords 32->188 190 Tries to steal Mail credentials (via file access) 32->190 50 BANK DETAILS_PDF.exe 36->50         started        112 shanpak.com 38->112 53 BANK DETAILS_PDF.exe 38->53         started        55 BANK DETAILS_PDF.exe 38->55         started        signatures11 process12 dnsIp13 57 BANK DETAILS_PDF.exe 43->57         started        118 shanpak.com 45->118 120 192.168.2.1 unknown unknown 45->120 60 BANK DETAILS_PDF.exe 45->60         started        62 BANK DETAILS_PDF.exe 45->62         started        122 Writes to foreign memory regions 50->122 124 Allocates memory in foreign processes 50->124 126 Maps a DLL or memory area into another process 50->126 64 BANK DETAILS_PDF.exe 50->64         started        67 BANK DETAILS_PDF.exe 50->67         started        69 notepad.exe 50->69         started        128 Tries to steal Instant Messenger accounts or passwords 53->128 130 Tries to steal Mail credentials (via file access) 53->130 signatures14 process15 dnsIp16 164 Writes to foreign memory regions 57->164 166 Allocates memory in foreign processes 57->166 168 Maps a DLL or memory area into another process 57->168 71 BANK DETAILS_PDF.exe 57->71         started        73 BANK DETAILS_PDF.exe 57->73         started        77 notepad.exe 57->77         started        170 Tries to steal Instant Messenger accounts or passwords 60->170 172 Tries to steal Mail credentials (via file access) 60->172 106 shanpak.com 64->106 174 Injects a PE file into a foreign processes 64->174 79 BANK DETAILS_PDF.exe 64->79         started        81 BANK DETAILS_PDF.exe 64->81         started        83 BANK DETAILS_PDF.exe 67->83         started        signatures17 process18 dnsIp19 85 BANK DETAILS_PDF.exe 71->85         started        114 shanpak.com 73->114 176 Injects a PE file into a foreign processes 73->176 88 BANK DETAILS_PDF.exe 73->88         started        90 BANK DETAILS_PDF.exe 73->90         started        178 Tries to steal Instant Messenger accounts or passwords 79->178 180 Tries to steal Mail credentials (via file access) 79->180 182 Maps a DLL or memory area into another process 83->182 184 Sample uses process hollowing technique 83->184 signatures20 process21 signatures22 140 Writes to foreign memory regions 85->140 142 Allocates memory in foreign processes 85->142 144 Maps a DLL or memory area into another process 85->144 92 BANK DETAILS_PDF.exe 85->92         started        96 notepad.exe 85->96         started        99 BANK DETAILS_PDF.exe 85->99         started        146 Tries to steal Instant Messenger accounts or passwords 88->146 148 Tries to steal Mail credentials (via file access) 88->148 process23 dnsIp24 116 shanpak.com 92->116 192 Sample uses process hollowing technique 92->192 194 Injects a PE file into a foreign processes 92->194 101 BANK DETAILS_PDF.exe 92->101         started        104 C:\Users\user\AppData\Roaming\...\.,..vbs, ASCII 96->104 dropped file25 signatures26 process27 signatures28 150 Tries to harvest and steal browser information (history, passwords, etc) 101->150
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e81b7365448d43584265f438b0291abdc8985c12f8b27246e8424ef941995f10/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 13:17:33 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5anxgzkervbvqqtf6q4laki2xxejqxas7czherxiijhpsqmzl4ia._file
Verdict:
malicious
Similar samples:
0d851cea1f67f96084284555592a8b7037595b8cde621342489c7d52efccc8f2
ISRStealer
360b4186f8359ad7db7f3183a454bdb954156220a8f9a5a0fa2c955ce9f4cfe7
ISRStealer
829b61183bd6535cd7f8ecaa211cc2ebbbef3fd8124acea0ccdd8b8572524ee2
ISRStealer
973c6ca52f1749604a7ba4aeeb65e2e3ea610707651dd637199249bf4ba0b6ea
ISRStealer
9fdaeab4153639b870fcb0522b1e0801aceb515e51b20603a1413086a82825bf
ISRStealer
b6064cc9790f02ae68fe4150b25be527352129e5d9c49f81ac320c603996ae70
ISRStealer
cf0bad09c814bb64da93ebdb2ef5830c3b83e5106ae967e2155ebae2f2c63cc3
ISRStealer
dbf19db7d0a4b842c4652e84edf70acbf1e1d2a9bd50403ba8fa0cd5abbba587
ISRStealer
e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497
ISRStealer
f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1
ISRStealer
+ 545 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware upx
Link:
https://tria.ge/reports/201107-5sw2r9dsl2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
e81b7365448d43584265f438b0291abdc8985c12f8b27246e8424ef941995f10
MD5 hash:
2c0cb2b1bad99f3d8859cfddc00c5d35
SHA1 hash:
aded3c149e3d45d5f7fd13347e26be196a2f9322
Link:
https://www.unpac.me/results/d466dfd4-91ee-42d3-9047-926f2b40ff52/
SH256 hash:
e04bef53bad6c47d602f361f26ea826063b0e581a1e05e0beedb9aaf3685d094
MD5 hash:
687b21cafe9c3b92c40941735066f1d4
SHA1 hash:
cdc382b4069f3ab6c3485a0c9cd11268c7bb0b11
Link:
https://www.unpac.me/results/d466dfd4-91ee-42d3-9047-926f2b40ff52/
SH256 hash:
f925de9cd44fb41c98f1fa7b681f1c1a4d43df80028c7c28088709fb5598c4b0
MD5 hash:
ab65e932a31740f63bf1b1a4cf29e71b
SHA1 hash:
0796510642419f05cfe8f6a754f7863fd1a66934
Detections:
win_isr_stealer_a0
Create hunting rule
win_isr_stealer_auto
Create hunting rule
Link:
https://www.unpac.me/results/d466dfd4-91ee-42d3-9047-926f2b40ff52/
SH256 hash:
34e4a870213f0a360565cc7f22aa88f39068ff2ff1e5089e4ff571166eda90c9
MD5 hash:
0208c859f6da9e03bc54df7f006aa7e6
SHA1 hash:
3e98ce9290a931ab5fa015a92e5447152cf62920
Link:
https://www.unpac.me/results/d466dfd4-91ee-42d3-9047-926f2b40ff52/
SH256 hash:
f555e9d4bf40f19a9b6f170eb8b28882a40901cea0ca9bcaf198077cd55ef751
MD5 hash:
9da93898e34a06c53eb8ea982731b560
SHA1 hash:
af6059ccc80490a2d5d47fc8479e140b715405e6
Link:
https://www.unpac.me/results/d466dfd4-91ee-42d3-9047-926f2b40ff52/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ISRStealer

gz b74450716258153e3350edfafd11d5ae7f7d37a2484ec42517dc54e5010ddd48

ISRStealer

Executable exe e81b7365448d43584265f438b0291abdc8985c12f8b27246e8424ef941995f10

(this sample)

  
Dropped by
MD5 9014971e30b1abcec344f7603606c676
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b74450716258153e3350edfafd11d5ae7f7d37a2484ec42517dc54e5010ddd48

Comments