isrstealer | d6637c6c05a5268fccd2602cd7d384f57448b570f38aab1f752dab4c1af00c59 | Triage

Submit
Reports

Overview

overview

Static

static

3

54fb130e36...18.exe

windows7-x64

54fb130e36...18.exe

windows10-2004-x64

Sharing

General

Target

54fb130e36f9335f843e242559cb2b0c_JaffaCakes118
Size

868KB
Sample

240518-qxndesea82
MD5

54fb130e36f9335f843e242559cb2b0c
SHA1

3f87bfafd292e7c22ebfc0b76ff7c7ec40c2a256
SHA256

d6637c6c05a5268fccd2602cd7d384f57448b570f38aab1f752dab4c1af00c59
SHA512

49485abcae8de4c7fc7c57f4359e0046e14565273ba73d96715e8c89371c7c9d3615d7ab0ab9983b0edcbf38706f5a6f4504aaf371fc9a48ea695a2a05761e27
SSDEEP

12288:NtQN+pguUxLeEpvF+z7E5QvNvlgTJmvsEs+ZSnR+is1igoe+esTCm:zQ4pI2lvllV0X+Z64j1ig42m

Score

10^/10

isrstealer bootkit collection persistence spyware stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

54fb130e36f9335f843e242559cb2b0c_JaffaCakes118.exe

Resource

win7-20240508-en

isrstealer bootkit collection persistence spyware stealer trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

54fb130e36f9335f843e242559cb2b0c_JaffaCakes118.exe

Resource

win10v2004-20240226-en

isrstealer collection persistence spyware stealer trojan upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  54fb130e36f9335f843e242559cb2b0c_JaffaCakes118
- Size
  
  868KB
- MD5
  
  54fb130e36f9335f843e242559cb2b0c
- SHA1
  
  3f87bfafd292e7c22ebfc0b76ff7c7ec40c2a256
- SHA256
  
  d6637c6c05a5268fccd2602cd7d384f57448b570f38aab1f752dab4c1af00c59
- SHA512
  
  49485abcae8de4c7fc7c57f4359e0046e14565273ba73d96715e8c89371c7c9d3615d7ab0ab9983b0edcbf38706f5a6f4504aaf371fc9a48ea695a2a05761e27
- SSDEEP
  
  12288:NtQN+pguUxLeEpvF+z7E5QvNvlgTJmvsEs+ZSnR+is1igoe+esTCm:zQ4pI2lvllV0X+Z64j1ig42m
Score

10^/10

isrstealer bootkit collection persistence spyware stealer trojan upx
- ISR Stealer
  ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
  trojan stealer isrstealer
- ISR Stealer payload
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

isrstealerbootkitcollectionpersistencespywarestealertrojanupx

behavioral2

isrstealercollectionpersistencespywarestealertrojanupx

© 2018-2024

Terms | Privacy