isrstealer | af9af43594a39f022a8b8b54c46dcd368982b2147b603f97034c25d0945dfbb9

General

Target

2603a878062e895071741970fb915e04_JaffaCakes118.exe
Size

176KB
MD5

2603a878062e895071741970fb915e04
SHA1

3cbe752a21d0d549518bee4873dd2576709379c5
SHA256

af9af43594a39f022a8b8b54c46dcd368982b2147b603f97034c25d0945dfbb9
SHA512

337f4b07fe686fe1d42db1815aa85c3ffa9181a517ae9064bf3022273d3e8d76ace10ea24f2d4211f8ebcbfd557f1e144190b6f7ef08cc817db3103afc3f4ad1
SSDEEP

3072:Xbx0E6o1HZ/aV/sX+lwHG8MFwDp4T+QYsj4T1LI37ANaxo+7B:XIYM3w05Icr9C+7

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/2676-33-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/2676-29-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/2676-40-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Executes dropped EXE 1 IoCs

pid	Process
2676	lshss.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe
2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2676	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe
2676	lshss.exe
2676	lshss.exe
2676	lshss.exe
2676	lshss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2676	lshss.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1928	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	28
PID 2140 wrote to memory of 1928	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	28
PID 2140 wrote to memory of 1928	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	28
PID 2140 wrote to memory of 1928	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2388	1928	csc.exe	30
PID 1928 wrote to memory of 2388	1928	csc.exe	30
PID 1928 wrote to memory of 2388	1928	csc.exe	30
PID 1928 wrote to memory of 2388	1928	csc.exe	30
PID 2140 wrote to memory of 2676	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2676	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2676	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2676	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2676	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2676	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2676	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2676	2140	2603a878062e895071741970fb915e04_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2603a878062e895071741970fb915e04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2603a878062e895071741970fb915e04_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wwlop2ct.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1131.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1130.tmp"
    3⤵
    PID:2388
- C:\Users\Admin\Documents\lshss.exe
  C:\Users\Admin\Documents\lshss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1131.tmp

Filesize
1KB

MD5
b5f99c3bb90387c30bd678fb50ea5c05

SHA1
7e5c75ea05244e169d5f7cbcb6c986234a90b46b

SHA256
e6ea742f599601b83134900ad545a9c40ff483f89636ef7a6fa89b49e0b5a475

SHA512
88f4ff624bb26c6f47a43c250c3669de0f1ae663e3cfa712da456527da0e6f47344ba5d487de173b0ff7a9500e4ec93ccab19d30cb10baa59e47c98c7cebf536

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwlop2ct.dll

Filesize
5KB

MD5
576ba3aafae01306cdbe619e7ad23c15

SHA1
d3d6bc7609ba27a7e1b8fb3fec34ffb0d046c0e7

SHA256
ef4865f7c3f29337a15557e7fa47b32f5126cb60a027f7ca276e284662aee2a7

SHA512
579a86d09e5b2f62337d2cff086877ca4697f4c40535c8af119d185d17f454022ddb05f7dafc8c20afcb7d3da1a6d3d91435342542028c8d294cd56237ed2a6d

Download Submit
C:\Users\Admin\Documents\lshss.exe

Filesize
16KB

MD5
974f0e2644d518ed0507d73c01e45ac3

SHA1
fc202efa0796f95542ee4b2deadb18fb6e78afa4

SHA256
0eaac28e58fc48cb6d74e1f44f93156b225e7e7b0793b223ce75a50fe3fd99b3

SHA512
bdf645abeb861cb1893e5abbc3697e4947fe91b05ab63b4f2c44ef911a23634da548530e31599a2f7f8203cce4487aa5e258e9606fe0bcd7108e97e24ce6b1b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1130.tmp

Filesize
652B

MD5
030dbd12ecbbccd4865a5096311cce3c

SHA1
812e160ae1a81bfe6714220360b7527498b4617d

SHA256
1b3330a41a8e93a70f8fae0b516f0c87be53091d3d1a215950c0c42a307d7269

SHA512
9d68d1033e5845e7dccb7962c1a929760290c11a67b45dce6e73de57857a8fd798e147d6f6e9111e2fc658d4c181026d637bc7d74b839075fcad6f95bca25194

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wwlop2ct.0.cs

Filesize
4KB

MD5
2bc50d88957abf4e0cb6fe9c856c882f

SHA1
4bd2ec2628c6e7a1acf7eabafaa0a9d6c428207f

SHA256
d3820365da0d704cf8f350c98d4fa69f38a8beb8742560eff178d854160127cc

SHA512
60285ce9a7eb2366f04a819ddea4d2b383f32c1f99a16009c0d5ca7384cd3290bafd889db87fcf91abca53be365c1e66cacc502d380f95dcaf0b1a87dca7f4a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wwlop2ct.cmdline

Filesize
206B

MD5
b8900c26f59fb17f3912d3df7cf47e4a

SHA1
eeae4b93a4c492876dddcd07dbee7d34001c8a9b

SHA256
7c66d01a0b624b0ef5bb6b2a9b66b8802e487718379d860a172071e5297c2f1b

SHA512
5c0622f98fb2522af933a52c5120981137b95ed916a16414e229414b83a952e0707af31b79fea67e993db24df8fa4d0bc5e247c2ddbab8e5ebd272aa30111c67

Download Submit
memory/1928-16-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-9-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-0-0x00000000741D1000-0x00000000741D2000-memory.dmp

Filesize
4KB

Download
memory/2140-2-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-1-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-39-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2676-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2676-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2676-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2676-40-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing