isrstealer | 93f2e07cc7722a22a158b71a0cc2a456f4fbdca5cfd67fa8e905e066522216f3

Analysis

max time kernel
63s
max time network
64s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe
Size

248KB
MD5

bc900ec165c7974d6b8a35003e8b469f
SHA1

2455fca46873fddc8e776278d931e4f86bea326d
SHA256

93f2e07cc7722a22a158b71a0cc2a456f4fbdca5cfd67fa8e905e066522216f3
SHA512

d8ecb449ce2e6489f345a29fdf9a8ab2d16fa5407310195f8e8dbf6590c0160417a054cc6e908badb0ade9c50cde33a503ffeb06121d12a83011b7fd0444d060
SSDEEP

3072:hm+JmSCT1QEMQkrp8RCODSS2olEPKeMFxdK0NHhwCxzL5PKATEt1l8Hw3bImQQEj:8+6T6EMjpQDL20EP1MvwCIOH

Score

10^/10

isrstealer discovery stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2448-11-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/2448-7-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/2448-39-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/2448-126-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe

Executes dropped EXE 1 IoCs

pid	Process
2980	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe

Loads dropped DLL 2 IoCs

pid	Process
1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe
1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 2448	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2448	vbc.exe
2448	vbc.exe
2448	vbc.exe
2448	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2448	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2448	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	29
PID 1456 wrote to memory of 2448	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	29
PID 1456 wrote to memory of 2448	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	29
PID 1456 wrote to memory of 2448	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	29
PID 1456 wrote to memory of 2448	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	29
PID 1456 wrote to memory of 2448	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	29
PID 1456 wrote to memory of 2448	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	29
PID 1456 wrote to memory of 2448	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	29
PID 1456 wrote to memory of 2824	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	30
PID 1456 wrote to memory of 2824	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	30
PID 1456 wrote to memory of 2824	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	30
PID 1456 wrote to memory of 2824	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	30
PID 2824 wrote to memory of 2752	2824	vbc.exe	32
PID 2824 wrote to memory of 2752	2824	vbc.exe	32
PID 2824 wrote to memory of 2752	2824	vbc.exe	32
PID 2824 wrote to memory of 2752	2824	vbc.exe	32
PID 1456 wrote to memory of 2980	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	33
PID 1456 wrote to memory of 2980	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	33
PID 1456 wrote to memory of 2980	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	33
PID 1456 wrote to memory of 2980	1456	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ufb7war2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3988.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3987.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Users\Admin\AppData\Roaming\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe
  "C:\Users\Admin\AppData\Roaming\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c27dedd096d47a25e816521f8def799c

SHA1
529936c7dc0b1b9899f49936a16d2c0310e51f4c

SHA256
3663e324724ea4c18ac6d7bac29fd915b874a7d049529b88bc8f15a1e9b03ff7

SHA512
0a5c71c03bbfe66b3602975e553ba34fe7f95c8bc32ca122951e0c0cc2cdb10fa55ccc0901bcf8a95be3846782f827022590788d6e8045a7108dabe13a274b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7457.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3988.tmp

Filesize
1KB

MD5
56b526f24b3e6fdb0cd82ccefa9912e1

SHA1
df9c33c6833bd530f6c59936ba8c72679f5bae79

SHA256
b3bfc83bed357fb667c0ded68ad34f3bdd3073ab87f7999fc2124e682f6c3e40

SHA512
2ecaf39f434836a100265ea1fcc385635b22bc17ae59fd409e35a1484e88211de6a12ecf34d705c38385b3487701eba5c7f2d4f9a84e031da0c5550f61df41b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7516.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufb7war2.0.vb

Filesize
381B

MD5
80d22faecb679a9b013cc9a464ecb5e8

SHA1
ba13add72b45895a41eb4b7dd99c39f868823046

SHA256
ba6b5b6b8e4e5f3fa0d5532870ed023afde9e5f190f16ed33d1ca13a3f7fc82c

SHA512
06e63157e33f67dd4054dfa5339804ee717b32a2abaae121a114376618ffa1c952d967816f2194fd5eaf1f79cce9a362cf07dfc43b04f998d3cb09f297376e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufb7war2.cmdline

Filesize
235B

MD5
8be113312a8a02976a3009a2b9be7bfc

SHA1
db90cc715b2fcc29f0ee54f6b1419f6b9120d972

SHA256
ffef110a4428ea1e2c32faac068bd94c484f33964e2c96e5f9f45ec23dbccb26

SHA512
9fb51d1f66d23b8b12894b79769972810961dc79182b6d011994ed1d56b402926a18c8b003736c8f56ed2917a5822de8f41872b761434303b2edeb5d31e7919b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3987.tmp

Filesize
804B

MD5
854c95d568f634996b7ac09976ea229b

SHA1
ada258b5559eaf0c7e230a9ddb28f1cfe5de19ea

SHA256
d873ccc0686939bf731163f025aa89bb369a6aaee6dd28814e9062541e378e58

SHA512
e496524970935c391d58dee53c9ea89f7473e720554ad1caba8c6bf5765e91105c1bc0bd9f0c14c41fc7b7950946a3f228cfe5f4a061672b6ffbffcdac4f7119

Download Submit
C:\Users\Admin\AppData\Roaming\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe

Filesize
248KB

MD5
bc900ec165c7974d6b8a35003e8b469f

SHA1
2455fca46873fddc8e776278d931e4f86bea326d

SHA256
93f2e07cc7722a22a158b71a0cc2a456f4fbdca5cfd67fa8e905e066522216f3

SHA512
d8ecb449ce2e6489f345a29fdf9a8ab2d16fa5407310195f8e8dbf6590c0160417a054cc6e908badb0ade9c50cde33a503ffeb06121d12a83011b7fd0444d060

Download Submit
C:\Users\Admin\AppData\Roaming\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe

Filesize
6KB

MD5
33786df9de7ee4940e74985e0c76498f

SHA1
0deb63fec4a2204773a0275e665a736389e35c35

SHA256
dd79a10dad22bc3b4b86b9215e589389eeb07f75befebba7fa5d3579cfe9fd03

SHA512
2597f92c8cf85919a5549dad171b4feaf03c9d399d69f579bb6f4f2fc094b3daa19ea53ee4b342674828f2463497c92142a4ce221016a79b769fe05413152c15

Download Submit
memory/1456-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1456-2-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1456-38-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1456-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

Filesize
4KB

Download
memory/2448-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2448-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2448-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2448-39-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2448-3-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2448-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2448-124-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/2448-126-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2824-30-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2824-21-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download