isrstealer | 5bca96912ca868f0136550cb0d7976bfb48dc45065fb8c403e9f2d4e97fd349b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ca2c3d114572d4c688defac3d9d742c_JaffaCakes118.exe
Size

604KB
MD5

2ca2c3d114572d4c688defac3d9d742c
SHA1

b2f457b463b3e5b20bfac3ae39a14002075116e7
SHA256

5bca96912ca868f0136550cb0d7976bfb48dc45065fb8c403e9f2d4e97fd349b
SHA512

41adce55141b55f95e58a54a24dc62b927de7c6274f4a12345796cbc542ad6dfd284480c7683f780a425149529c1b9cb91365d209bd7326113d788e8c738d45b
SSDEEP

12288:i0tCVTnJba1xuyzGgG1TQ9GuXGYRzBXRekpMFT:i0tCNJbae0EFjYRzBXU4MF

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3024-33-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral1/memory/3024-27-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral1/memory/3024-24-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer
behavioral1/memory/3024-68-0x0000000000400000-0x0000000000451000-memory.dmp	family_isrstealer

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2616-67-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral1/memory/2616-62-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral1/memory/2616-71-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral1/memory/2616-67-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral1/memory/2616-62-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral1/memory/2616-71-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
2972	ЏЎЗѤѠ.exe
3024	cvtres.exe
2932	cvtres.exe
2616	cvtres.exe

Loads dropped DLL 5 IoCs

pid	Process
2052	2ca2c3d114572d4c688defac3d9d742c_JaffaCakes118.exe
2052	2ca2c3d114572d4c688defac3d9d742c_JaffaCakes118.exe
2972	ЏЎЗѤѠ.exe
3024	cvtres.exe
2932	cvtres.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 3024	2972	ЏЎЗѤѠ.exe	31
PID 3024 set thread context of 2932	3024	cvtres.exe	32
PID 2932 set thread context of 2616	2932	cvtres.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3024	cvtres.exe
3024	cvtres.exe
3024	cvtres.exe
3024	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3024	cvtres.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2972	2052	2ca2c3d114572d4c688defac3d9d742c_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2972	2052	2ca2c3d114572d4c688defac3d9d742c_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2972	2052	2ca2c3d114572d4c688defac3d9d742c_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2972	2052	2ca2c3d114572d4c688defac3d9d742c_JaffaCakes118.exe	30
PID 2972 wrote to memory of 3024	2972	ЏЎЗѤѠ.exe	31
PID 2972 wrote to memory of 3024	2972	ЏЎЗѤѠ.exe	31
PID 2972 wrote to memory of 3024	2972	ЏЎЗѤѠ.exe	31
PID 2972 wrote to memory of 3024	2972	ЏЎЗѤѠ.exe	31
PID 2972 wrote to memory of 3024	2972	ЏЎЗѤѠ.exe	31
PID 2972 wrote to memory of 3024	2972	ЏЎЗѤѠ.exe	31
PID 2972 wrote to memory of 3024	2972	ЏЎЗѤѠ.exe	31
PID 2972 wrote to memory of 3024	2972	ЏЎЗѤѠ.exe	31
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 3024 wrote to memory of 2932	3024	cvtres.exe	32
PID 2932 wrote to memory of 2616	2932	cvtres.exe	33
PID 2932 wrote to memory of 2616	2932	cvtres.exe	33
PID 2932 wrote to memory of 2616	2932	cvtres.exe	33
PID 2932 wrote to memory of 2616	2932	cvtres.exe	33
PID 2932 wrote to memory of 2616	2932	cvtres.exe	33
PID 2932 wrote to memory of 2616	2932	cvtres.exe	33

C:\Users\Admin\AppData\Local\Temp\2ca2c3d114572d4c688defac3d9d742c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ca2c3d114572d4c688defac3d9d742c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\ЏЎЗѤѠ.exe
  "C:\Users\Admin\AppData\Local\Temp\ЏЎЗѤѠ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
      "C:\Users\Admin\AppData\Local\Temp\cvtres.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
        5⤵
        Executes dropped EXE
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\Users\Admin\AppData\Local\Temp\ЏЎЗѤѠ.exe

Filesize
396KB

MD5
1484507647d2cbec4cb99cba142c0cc7

SHA1
a5524049d49cf6e1c80edec32d856f88a482c9b5

SHA256
04f1e7d8d2341a05631c1e796aa077fdba25503fcd41ff2f869b0f064024e33c

SHA512
d764d63635fbe46a24e774dbf9cdddbcccb78056afaa357f6d1293a8ba2d5cb29eb085956fa412c48f721c28424a7569f7829d097fc0dbc0ee7b840cc1c484c7

Download Submit
memory/2052-0-0x00000000743C1000-0x00000000743C2000-memory.dmp

Filesize
4KB

Download
memory/2052-1-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-2-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-13-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-71-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2616-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2616-67-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2616-59-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2932-38-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-42-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-66-0x0000000000401000-0x0000000000409000-memory.dmp

Filesize
32KB

Download
memory/2932-50-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-32-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-14-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-19-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-31-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-33-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3024-22-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3024-20-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3024-24-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3024-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3024-68-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3024-27-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download