isrstealer | a7cdf2bb2e20cc4046d6897a2299f3aba3cc6dd99e5e7a06129a9bec8d627bc9 | Triage

Submit
Reports

Overview

overview

Static

static

3

c8b104888f...18.exe

windows7-x64

c8b104888f...18.exe

windows10-2004-x64

Sharing

General

Target

c8b104888f5195155a25c0f10a4680ae_JaffaCakes118
Size

928KB
Sample

240829-m3twlszdmn
MD5

c8b104888f5195155a25c0f10a4680ae
SHA1

736222962c56242b83070ef37fbb8e7a6fc0685f
SHA256

a7cdf2bb2e20cc4046d6897a2299f3aba3cc6dd99e5e7a06129a9bec8d627bc9
SHA512

b07004fff4bb3cab06ed30d034b2ddc1a61f9d29742952fd10090c5c1fe4d4764d07b734497928e3331cf241800beed6f09b818607d28b954da7fdfaf3ec4438
SSDEEP

24576:q/hlwX/1brBVGSPBcagNcMJN6aLkkgl2:WlC/E8/gnJwagkg

Score

10^/10

isrstealer bootkit discovery persistence spyware stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe

Resource

win7-20240705-en

isrstealer bootkit discovery persistence spyware stealer trojan upx

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe

Resource

win10v2004-20240802-en

isrstealer bootkit discovery persistence spyware stealer trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  c8b104888f5195155a25c0f10a4680ae_JaffaCakes118
- Size
  
  928KB
- MD5
  
  c8b104888f5195155a25c0f10a4680ae
- SHA1
  
  736222962c56242b83070ef37fbb8e7a6fc0685f
- SHA256
  
  a7cdf2bb2e20cc4046d6897a2299f3aba3cc6dd99e5e7a06129a9bec8d627bc9
- SHA512
  
  b07004fff4bb3cab06ed30d034b2ddc1a61f9d29742952fd10090c5c1fe4d4764d07b734497928e3331cf241800beed6f09b818607d28b954da7fdfaf3ec4438
- SSDEEP
  
  24576:q/hlwX/1brBVGSPBcagNcMJN6aLkkgl2:WlC/E8/gnJwagkg
Score

10^/10

isrstealer bootkit discovery persistence spyware stealer trojan upx
- ISR Stealer
  ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
  trojan stealer isrstealer
- ISR Stealer payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

isrstealerbootkitdiscoverypersistencespywarestealertrojanupx

behavioral2

isrstealerbootkitdiscoverypersistencespywarestealertrojanupx

© 2018-2024

Terms | Privacy