MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8f3791ef07c0c58418b4f78c75675c70ac55e47912be15468caa338b214aea1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ISRStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8f3791ef07c0c58418b4f78c75675c70ac55e47912be15468caa338b214aea1
SHA3-384 hash: d3df2de7ca30c77452709db046ef725f90664fec287eea2a54915f5831c32506817c5413ad94640aca12e17816995679
SHA1 hash: b76420a7d238afe113c8f986864127d415988b0f
MD5 hash: 76fc0e52ba87a19c6bcfc0a444cd5d26
humanhash: purple-thirteen-tango-mockingbird
File name:New Contract Order.exe
Download: download sample
Signature ISRStealer
Create hunting rule
File size:995'328 bytes
First seen:2020-11-09 16:15:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cea15fcbfd6616496bbe80d9d9d0796 (26 x Loki, 25 x AgentTesla, 10 x ISRStealer)
ssdeep 24576:yVMHwG0ON514iuyWEpajSiak2wbJDX8PGc3s/:yVtGXrGi/hpajXOwtPe8
Threatray 426 similar samples on MalwareBazaar
TLSH C125AF22ADA18837C16336399D1B5B689F36BF313924B98627FC3D0F5F396417825293
Reporter abuse_ch
Tags:exe ISRStealer


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: jacobpharma.com
Sending IP: 209.58.149.114
From: "Puchase Dept." <info@jacobpharma.com>
Subject: AW: AW: New Contract Order
Attachment: New Contract Order.zip (contains "New Contract Order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BackDoor.SpyBotNET.25.3911.4845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
DNS request
Connection attempt
Deleting a recently created file
Searching for the window
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
ISRStealer MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/526682
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Passes username and password via HTTP get
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected ISRStealer
Yara detected MailPassView
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 312430 Sample: New Contract Order.exe Startdate: 09/11/2020 Architecture: WINDOWS Score: 100 100 spia-indonesia.org 2->100 116 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->116 118 Multi AV Scanner detection for submitted file 2->118 120 Detected unpacking (changes PE section rights) 2->120 122 10 other signatures 2->122 12 New Contract Order.exe 2->12         started        15 wscript.exe 1 2->15         started        signatures3 process4 signatures5 180 Writes to foreign memory regions 12->180 182 Allocates memory in foreign processes 12->182 184 Maps a DLL or memory area into another process 12->184 186 Queues an APC in another process (thread injection) 12->186 17 New Contract Order.exe 12->17         started        19 New Contract Order.exe 13 12->19         started        23 notepad.exe 1 12->23         started        25 New Contract Order.exe 15->25         started        process6 dnsIp7 27 New Contract Order.exe 17->27         started        104 spia-indonesia.org 202.52.146.120, 443, 49714, 49715 GMEDIA-AS-IDGlobalMediaTeknologiPTID Indonesia 19->104 124 Injects a PE file into a foreign processes 19->124 30 New Contract Order.exe 1 19->30         started        32 New Contract Order.exe 19->32         started        34 svchost.exe 19->34         started        126 Drops VBS files to the startup folder 23->126 128 Delayed program exit found 23->128 130 Writes to foreign memory regions 25->130 132 Allocates memory in foreign processes 25->132 134 Maps a DLL or memory area into another process 25->134 36 New Contract Order.exe 25->36         started        38 New Contract Order.exe 13 25->38         started        41 notepad.exe 1 25->41         started        signatures8 process9 dnsIp10 168 Writes to foreign memory regions 27->168 170 Allocates memory in foreign processes 27->170 172 Maps a DLL or memory area into another process 27->172 43 New Contract Order.exe 27->43         started        45 New Contract Order.exe 13 27->45         started        49 notepad.exe 1 27->49         started        174 Tries to steal Instant Messenger accounts or passwords 30->174 176 Tries to steal Mail credentials (via file access) 30->176 51 New Contract Order.exe 36->51         started        106 spia-indonesia.org 38->106 108 192.168.2.1 unknown unknown 38->108 178 Injects a PE file into a foreign processes 38->178 53 New Contract Order.exe 38->53         started        55 New Contract Order.exe 38->55         started        signatures11 process12 dnsIp13 57 New Contract Order.exe 43->57         started        114 spia-indonesia.org 45->114 188 Injects a PE file into a foreign processes 45->188 60 New Contract Order.exe 45->60         started        62 New Contract Order.exe 45->62         started        190 Writes to foreign memory regions 51->190 192 Allocates memory in foreign processes 51->192 194 Maps a DLL or memory area into another process 51->194 64 New Contract Order.exe 51->64         started        66 New Contract Order.exe 51->66         started        69 notepad.exe 51->69         started        196 Tries to steal Instant Messenger accounts or passwords 53->196 198 Tries to steal Mail credentials (via file access) 53->198 signatures14 process15 dnsIp16 156 Writes to foreign memory regions 57->156 158 Allocates memory in foreign processes 57->158 160 Maps a DLL or memory area into another process 57->160 71 New Contract Order.exe 57->71         started        75 notepad.exe 57->75         started        77 New Contract Order.exe 57->77         started        162 Tries to steal Instant Messenger accounts or passwords 60->162 164 Tries to steal Mail credentials (via file access) 60->164 79 New Contract Order.exe 64->79         started        102 spia-indonesia.org 66->102 166 Injects a PE file into a foreign processes 66->166 81 New Contract Order.exe 66->81         started        83 New Contract Order.exe 66->83         started        signatures17 process18 dnsIp19 110 spia-indonesia.org 71->110 144 Injects a PE file into a foreign processes 71->144 85 New Contract Order.exe 71->85         started        88 New Contract Order.exe 71->88         started        146 Writes to foreign memory regions 79->146 148 Allocates memory in foreign processes 79->148 150 Maps a DLL or memory area into another process 79->150 90 New Contract Order.exe 79->90         started        93 notepad.exe 79->93         started        96 New Contract Order.exe 79->96         started        152 Tries to steal Instant Messenger accounts or passwords 81->152 154 Tries to steal Mail credentials (via file access) 81->154 signatures20 process21 dnsIp22 136 Tries to steal Instant Messenger accounts or passwords 85->136 138 Tries to steal Mail credentials (via file access) 85->138 140 Tries to harvest and steal browser information (history, passwords, etc) 88->140 112 spia-indonesia.org 90->112 142 Sample uses process hollowing technique 90->142 98 C:\Users\user\AppData\Roaming\...\.....vbs, ASCII 93->98 dropped file23 signatures24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8f3791ef07c0c58418b4f78c75675c70ac55e47912be15468caa338b214aea1/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 12:10:18 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dzxshxqpqgfqqmlj54movtvy4fmkxshsev6cvdizkrtrmquv2qq._file
Verdict:
malicious
Similar samples:
141d8dd9c235560984db345a6414c17c5fed18e5b2106f240a58f3cdcc9f9584
ISRStealer
64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
ISRStealer
752f7fba9fba7cccbdac0e60f4e63b4e0baf2071b9b22392bf512b952b721b8c
ISRStealer
973c6ca52f1749604a7ba4aeeb65e2e3ea610707651dd637199249bf4ba0b6ea
ISRStealer
99e8e8f1ec69e184c986d1c35deb49f85df828936c933120edf58906c814ca53
ISRStealer
9e3a497a827876ab6b91eb532b3706f9ba4c0c22c86c9c049f21bb5add78bc36
ISRStealer
9fdaeab4153639b870fcb0522b1e0801aceb515e51b20603a1413086a82825bf
ISRStealer
e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497
ISRStealer
e81b7365448d43584265f438b0291abdc8985c12f8b27246e8424ef941995f10
ISRStealer
f0e180d5a00ca5ab5c375261bd3b986b3ef7b5474fb5935b64caa7f02fb02148
ISRStealer
+ 416 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware upx
Link:
https://tria.ge/reports/201109-v95salxj2x/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads user/profile data of web browsers
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8f3791ef07c0c58418b4f78c75675c70ac55e47912be15468caa338b214aea1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ISRStealer

zip b3d4688ca6285c8be45a6693052e0805d0497dfa99931389393845848a18f71c

ISRStealer

Executable exe f8f3791ef07c0c58418b4f78c75675c70ac55e47912be15468caa338b214aea1

(this sample)

  
Dropped by
MD5 675fd9146299de1aaa1f22f40917fac0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b3d4688ca6285c8be45a6693052e0805d0497dfa99931389393845848a18f71c

Comments