isrstealer | af9af43594a39f022a8b8b54c46dcd368982b2147b603f97034c25d0945dfbb9

General

Target

2603a878062e895071741970fb915e04_JaffaCakes118.exe
Size

176KB
MD5

2603a878062e895071741970fb915e04
SHA1

3cbe752a21d0d549518bee4873dd2576709379c5
SHA256

af9af43594a39f022a8b8b54c46dcd368982b2147b603f97034c25d0945dfbb9
SHA512

337f4b07fe686fe1d42db1815aa85c3ffa9181a517ae9064bf3022273d3e8d76ace10ea24f2d4211f8ebcbfd557f1e144190b6f7ef08cc817db3103afc3f4ad1
SSDEEP

3072:Xbx0E6o1HZ/aV/sX+lwHG8MFwDp4T+QYsj4T1LI37ANaxo+7B:XIYM3w05Icr9C+7

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/404-20-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/404-25-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/404-29-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/404-30-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Executes dropped EXE 1 IoCs

pid	Process
404	lshss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4968 set thread context of 404	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe
404	lshss.exe
404	lshss.exe
404	lshss.exe
404	lshss.exe
404	lshss.exe
404	lshss.exe
404	lshss.exe
404	lshss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
404	lshss.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 2444	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	81
PID 4968 wrote to memory of 2444	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	81
PID 4968 wrote to memory of 2444	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	81
PID 2444 wrote to memory of 5036	2444	csc.exe	83
PID 2444 wrote to memory of 5036	2444	csc.exe	83
PID 2444 wrote to memory of 5036	2444	csc.exe	83
PID 4968 wrote to memory of 404	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	84
PID 4968 wrote to memory of 404	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	84
PID 4968 wrote to memory of 404	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	84
PID 4968 wrote to memory of 404	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	84
PID 4968 wrote to memory of 404	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	84
PID 4968 wrote to memory of 404	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	84
PID 4968 wrote to memory of 404	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	84
PID 4968 wrote to memory of 404	4968	2603a878062e895071741970fb915e04_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\2603a878062e895071741970fb915e04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2603a878062e895071741970fb915e04_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rx20z7ex.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4576.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4575.tmp"
    3⤵
    PID:5036
- C:\Users\Admin\Documents\lshss.exe
  C:\Users\Admin\Documents\lshss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4576.tmp

Filesize
1KB

MD5
e76d8e50f5465836df6bdc9da64a8d8d

SHA1
09924d53b40b96da33481e0d09f8daacd0d342a3

SHA256
0d98aa9004f638ace4aff4769d54669142311753868cb850450d3241cdafa43f

SHA512
28b34bb0da86b4bce41539c8252b0af6a0804257d834b8e010035161f4f921c8ba4dbd6e63757ef241ca9bdfe634e83a4f7f4147112c05597a5c1d6f56b91be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rx20z7ex.dll

Filesize
5KB

MD5
9ccc7391056c37715d6178a1f8d04472

SHA1
9968284c5292c64fa87b8a7abd6f94661bd41535

SHA256
6dea70b8deeb599ff2c751bf21cffc84eab7a256d5e4b4edd5e048c3280e3ec7

SHA512
91a5bad414052244fa278101d6d85e5ac97605dff68de208a8823eb7acda2cc7157709099f140449b39cf1dc67dfbaffc95c20961a16487bc220e45805d5a0a9

Download Submit
C:\Users\Admin\Documents\lshss.exe

Filesize
16KB

MD5
974f0e2644d518ed0507d73c01e45ac3

SHA1
fc202efa0796f95542ee4b2deadb18fb6e78afa4

SHA256
0eaac28e58fc48cb6d74e1f44f93156b225e7e7b0793b223ce75a50fe3fd99b3

SHA512
bdf645abeb861cb1893e5abbc3697e4947fe91b05ab63b4f2c44ef911a23634da548530e31599a2f7f8203cce4487aa5e258e9606fe0bcd7108e97e24ce6b1b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4575.tmp

Filesize
652B

MD5
0b11530510eeb3206b92d57b8e035105

SHA1
3600929a8108313c5a63d8f4db84fc1056cd7895

SHA256
1b0da9f3912c482457f11291e8ca82f5021c976312ef8921d43d7cd38f028fd4

SHA512
8f2864514d7ae400105518d5efa7bb9b31b3d8e6a22ad834a37c3107f1134b88f33cecf65a4ed18e799c90e8de93cbe4928feaf24e534949935dfe834d995bca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rx20z7ex.0.cs

Filesize
4KB

MD5
2bc50d88957abf4e0cb6fe9c856c882f

SHA1
4bd2ec2628c6e7a1acf7eabafaa0a9d6c428207f

SHA256
d3820365da0d704cf8f350c98d4fa69f38a8beb8742560eff178d854160127cc

SHA512
60285ce9a7eb2366f04a819ddea4d2b383f32c1f99a16009c0d5ca7384cd3290bafd889db87fcf91abca53be365c1e66cacc502d380f95dcaf0b1a87dca7f4a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rx20z7ex.cmdline

Filesize
206B

MD5
b6f7e9de3a35e9e628501f591c2b9716

SHA1
c0537dab968fc8897023ddecd4498ed44f2065a1

SHA256
cbc486af63361261fd6dc66eb21ef55fb400a89582ce8cbbb6d9b600a417d4c1

SHA512
bf148ef335596cf5e40d29405db179eb9385599c0d00bf2c53139451c4f1596f639560bb05c5f92c0b13d9d9a533208b2e6b241090d09cbaf6d56e4540e9ff20

Download Submit
memory/404-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/404-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/404-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/404-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2444-13-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/2444-16-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4968-2-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4968-1-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4968-0-0x0000000074862000-0x0000000074863000-memory.dmp

Filesize
4KB

Download
memory/4968-26-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing