isrstealer | dc7f36e303ad160f0f4c6f2af9fab5837571998f9f4fc7817ca05fe717493c59 | Triage

Submit
Reports

Overview

overview

Static

static

3

121d0b20a7...18.exe

windows7-x64

121d0b20a7...18.exe

windows10-2004-x64

Sharing

General

Target

121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118
Size

844KB
Sample

240626-qmecrsyhln
MD5

121d0b20a7ea0aff94c9951ab2a22c71
SHA1

d7794361d73ea95d5748a9d60b9acbb479b8762e
SHA256

dc7f36e303ad160f0f4c6f2af9fab5837571998f9f4fc7817ca05fe717493c59
SHA512

103ce92ece47d2b7b9f5eb0d28c13017c4e02982067e4a3458af1f5e7b593ea2cf5d4f9b5755eab5d4cad3eb0ed1ca41b59b263014192a979b006d7bb1c4bc13
SSDEEP

12288:djTwOslBgVCkoSCTyyZ27HjUtbnW3h0pKN3fl1aLUK40nnVanE4syALPwWbyFYMM:ZTwOsI04CyyaUtbMEKtS4K40VwxjoRk

Score

10^/10

isrstealer bootkit persistence stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe

Resource

win7-20231129-en

isrstealer bootkit persistence stealer trojan upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe

Resource

win10v2004-20240611-en

isrstealer stealer trojan upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118
- Size
  
  844KB
- MD5
  
  121d0b20a7ea0aff94c9951ab2a22c71
- SHA1
  
  d7794361d73ea95d5748a9d60b9acbb479b8762e
- SHA256
  
  dc7f36e303ad160f0f4c6f2af9fab5837571998f9f4fc7817ca05fe717493c59
- SHA512
  
  103ce92ece47d2b7b9f5eb0d28c13017c4e02982067e4a3458af1f5e7b593ea2cf5d4f9b5755eab5d4cad3eb0ed1ca41b59b263014192a979b006d7bb1c4bc13
- SSDEEP
  
  12288:djTwOslBgVCkoSCTyyZ27HjUtbnW3h0pKN3fl1aLUK40nnVanE4syALPwWbyFYMM:ZTwOsI04CyyaUtbMEKtS4K40VwxjoRk
Score

10^/10

isrstealer bootkit persistence stealer trojan upx
- ISR Stealer
  ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
  trojan stealer isrstealer
- ISR Stealer payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

isrstealerbootkitpersistencestealertrojanupx

behavioral2

isrstealerstealertrojanupx

© 2018-2024

Terms | Privacy