isrstealer | ae042d2e4e5d411e544f4bf00a5c8499f7c224f442f854feb4e61f705b562b02

General

Target

JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe
Size

1.2MB
MD5

638f0a2333f81bb929cfc47b16e4057d
SHA1

5f8d13e6d5647c6380a6e9670d3279cca8de5eae
SHA256

ae042d2e4e5d411e544f4bf00a5c8499f7c224f442f854feb4e61f705b562b02
SHA512

fafbd9aa10c2f26ffabce7fedb70f6f4929d9d017233b015cf9df9ef472cf752f42bda0cf7aebf22291cffafc9315ad6fcf730f6760b1d3c55b6cce9e080f8e5
SSDEEP

24576:1qXdDeWY6yHlb05btx6O4W0uAp7UGpV83NfmNbP2:1QdCJ0M5nTDj2

Score

10^/10

isrstealer discovery stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/3036-19-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer
behavioral1/memory/3036-33-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Executes dropped EXE 2 IoCs

pid	Process
2672	3YX11.exe
2708	3YX11e.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 3036	2708	3YX11e.exe	32
PID 3036 set thread context of 2544	3036	vbc.exe	33

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2544-26-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2544-25-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2544-24-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2544-23-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2544-32-0x0000000000400000-0x0000000000453000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3YX11e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	vbc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2672	2788	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	30
PID 2788 wrote to memory of 2672	2788	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	30
PID 2788 wrote to memory of 2672	2788	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	30
PID 2788 wrote to memory of 2708	2788	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	31
PID 2788 wrote to memory of 2708	2788	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	31
PID 2788 wrote to memory of 2708	2788	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	31
PID 2788 wrote to memory of 2708	2788	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	31
PID 2708 wrote to memory of 3036	2708	3YX11e.exe	32
PID 2708 wrote to memory of 3036	2708	3YX11e.exe	32
PID 2708 wrote to memory of 3036	2708	3YX11e.exe	32
PID 2708 wrote to memory of 3036	2708	3YX11e.exe	32
PID 2708 wrote to memory of 3036	2708	3YX11e.exe	32
PID 2708 wrote to memory of 3036	2708	3YX11e.exe	32
PID 2708 wrote to memory of 3036	2708	3YX11e.exe	32
PID 2708 wrote to memory of 3036	2708	3YX11e.exe	32
PID 2708 wrote to memory of 3036	2708	3YX11e.exe	32
PID 3036 wrote to memory of 2544	3036	vbc.exe	33
PID 3036 wrote to memory of 2544	3036	vbc.exe	33
PID 3036 wrote to memory of 2544	3036	vbc.exe	33
PID 3036 wrote to memory of 2544	3036	vbc.exe	33
PID 3036 wrote to memory of 2544	3036	vbc.exe	33
PID 3036 wrote to memory of 2544	3036	vbc.exe	33
PID 3036 wrote to memory of 2544	3036	vbc.exe	33
PID 3036 wrote to memory of 2544	3036	vbc.exe	33
PID 3036 wrote to memory of 2544	3036	vbc.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\3YX11.exe
  C:\Users\Admin\AppData\Local\Temp\3YX11.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\3YX11e.exe
  C:\Users\Admin\AppData\Local\Temp\3YX11e.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3YX11.exe

Filesize
171KB

MD5
b639641d48989d0f655c5331d3bbd6ab

SHA1
23c814de11091b34304e3982efc5d0e5a9ab00c8

SHA256
09c027f0eb268ece684d416c2ac715f96502400fb003ddecec86f11718862a06

SHA512
05ffbe523ac54f48471ff0131a2cf11be67a11bc4b6c201b7b52f2fac1b19ed75ee12626d53a28e20f364f7003d0ee95586aed60a8a0a1d6f16951ec422f27f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YX11e.exe

Filesize
544KB

MD5
047eb567d1450e7c0dc4225280062f92

SHA1
1d91f788269eb3560efe85e923720c5b150f89e5

SHA256
b0367f47cf1177e8122dabc5fc85adc4cb03268f7f29176bd15747211ef31b5c

SHA512
0da335c4d3402da4e61cfbf6d009fd55179a8b2bb473ce862ffc53080069a5a193557e098cdb22ab0c8292a57f92b7fba57cc6f8f47eb491c4b322229765fbbf

Download Submit
memory/2544-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2544-26-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2544-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2544-23-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2544-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2672-11-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-12-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-10-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-9-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-28-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2788-1-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2788-3-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2788-0-0x000007FEF5ECE000-0x000007FEF5ECF000-memory.dmp

Filesize
4KB

Download
memory/2788-27-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/2788-2-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3036-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing