isrstealer | ae042d2e4e5d411e544f4bf00a5c8499f7c224f442f854feb4e61f705b562b02

General

Target

JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe
Size

1.2MB
MD5

638f0a2333f81bb929cfc47b16e4057d
SHA1

5f8d13e6d5647c6380a6e9670d3279cca8de5eae
SHA256

ae042d2e4e5d411e544f4bf00a5c8499f7c224f442f854feb4e61f705b562b02
SHA512

fafbd9aa10c2f26ffabce7fedb70f6f4929d9d017233b015cf9df9ef472cf752f42bda0cf7aebf22291cffafc9315ad6fcf730f6760b1d3c55b6cce9e080f8e5
SSDEEP

24576:1qXdDeWY6yHlb05btx6O4W0uAp7UGpV83NfmNbP2:1QdCJ0M5nTDj2

Score

10^/10

isrstealer discovery stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/2764-26-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer
behavioral2/memory/2764-23-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer
behavioral2/memory/2764-45-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Executes dropped EXE 2 IoCs

pid	Process
1892	113Y1.exe
3900	113Y1e.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3900 set thread context of 2764	3900	113Y1e.exe	87
PID 2764 set thread context of 1320	2764	vbc.exe	88

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1320-35-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1320-39-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1320-36-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1320-34-0x0000000000400000-0x0000000000453000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	113Y1e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2764	vbc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 1892	4024	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	85
PID 4024 wrote to memory of 1892	4024	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	85
PID 4024 wrote to memory of 3900	4024	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	86
PID 4024 wrote to memory of 3900	4024	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	86
PID 4024 wrote to memory of 3900	4024	JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe	86
PID 3900 wrote to memory of 2764	3900	113Y1e.exe	87
PID 3900 wrote to memory of 2764	3900	113Y1e.exe	87
PID 3900 wrote to memory of 2764	3900	113Y1e.exe	87
PID 3900 wrote to memory of 2764	3900	113Y1e.exe	87
PID 3900 wrote to memory of 2764	3900	113Y1e.exe	87
PID 3900 wrote to memory of 2764	3900	113Y1e.exe	87
PID 3900 wrote to memory of 2764	3900	113Y1e.exe	87
PID 3900 wrote to memory of 2764	3900	113Y1e.exe	87
PID 2764 wrote to memory of 1320	2764	vbc.exe	88
PID 2764 wrote to memory of 1320	2764	vbc.exe	88
PID 2764 wrote to memory of 1320	2764	vbc.exe	88
PID 2764 wrote to memory of 1320	2764	vbc.exe	88
PID 2764 wrote to memory of 1320	2764	vbc.exe	88
PID 2764 wrote to memory of 1320	2764	vbc.exe	88
PID 2764 wrote to memory of 1320	2764	vbc.exe	88
PID 2764 wrote to memory of 1320	2764	vbc.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\113Y1.exe
  C:\Users\Admin\AppData\Local\Temp\113Y1.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\113Y1e.exe
  C:\Users\Admin\AppData\Local\Temp\113Y1e.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\113Y1.exe

Filesize
171KB

MD5
b639641d48989d0f655c5331d3bbd6ab

SHA1
23c814de11091b34304e3982efc5d0e5a9ab00c8

SHA256
09c027f0eb268ece684d416c2ac715f96502400fb003ddecec86f11718862a06

SHA512
05ffbe523ac54f48471ff0131a2cf11be67a11bc4b6c201b7b52f2fac1b19ed75ee12626d53a28e20f364f7003d0ee95586aed60a8a0a1d6f16951ec422f27f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\113Y1e.exe

Filesize
544KB

MD5
047eb567d1450e7c0dc4225280062f92

SHA1
1d91f788269eb3560efe85e923720c5b150f89e5

SHA256
b0367f47cf1177e8122dabc5fc85adc4cb03268f7f29176bd15747211ef31b5c

SHA512
0da335c4d3402da4e61cfbf6d009fd55179a8b2bb473ce862ffc53080069a5a193557e098cdb22ab0c8292a57f92b7fba57cc6f8f47eb491c4b322229765fbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/1320-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1320-34-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1320-36-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1320-38-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/1320-35-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1892-46-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/1892-14-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/1892-15-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/1892-16-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/1892-48-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/2764-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2764-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2764-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3900-21-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/3900-20-0x0000000075322000-0x0000000075323000-memory.dmp

Filesize
4KB

Download
memory/3900-22-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/3900-29-0x0000000075320000-0x00000000758D1000-memory.dmp

Filesize
5.7MB

Download
memory/4024-5-0x0000000001170000-0x0000000001178000-memory.dmp

Filesize
32KB

Download
memory/4024-41-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4024-11-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4024-7-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4024-6-0x000000001C430000-0x000000001C47C000-memory.dmp

Filesize
304KB

Download
memory/4024-0-0x00007FFD64E75000-0x00007FFD64E76000-memory.dmp

Filesize
4KB

Download
memory/4024-30-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4024-28-0x00007FFD64E75000-0x00007FFD64E76000-memory.dmp

Filesize
4KB

Download
memory/4024-27-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/4024-4-0x000000001C2D0000-0x000000001C36C000-memory.dmp

Filesize
624KB

Download
memory/4024-3-0x000000001BD20000-0x000000001C1EE000-memory.dmp

Filesize
4.8MB

Download
memory/4024-2-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4024-1-0x000000001B7A0000-0x000000001B846000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing