isrstealer | 50c3713014eefe6d7a2776d34cc38160f32b1154d0fde6539e506a6fcaf66196

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-01-2025 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe
Size

1.7MB
MD5

6d2a7770d449ca77cdbaf19427f8df79
SHA1

bf9c217cbc4577bc16d6e696974d22b17e8f3c64
SHA256

50c3713014eefe6d7a2776d34cc38160f32b1154d0fde6539e506a6fcaf66196
SHA512

21c8877a24344ee8f3b7ab4d4e3fe0ffdc7aa28b8b28e3bf91742918b9e069d788363acf8ff3dfad742e8ce6505983db502a94579ffee3f3ca46f2dd9605653c
SSDEEP

49152:v7PcpfOyQmi8yhCNhak8xZ/tJbE/97lGWW868Ie97V:vUfOyVi8yhvk8xZHbE/90WW82u5

Score

10^/10

isrstealer discovery persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/2552-71-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral1/memory/2552-68-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral1/memory/2552-103-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Executes dropped EXE 2 IoCs

pid	Process
1044	Nem_Prot.exe
2176	2012 Crypter Private.exe

Loads dropped DLL 7 IoCs

pid	Process
2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe
2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe
1044	Nem_Prot.exe
1044	Nem_Prot.exe
1044	Nem_Prot.exe
2176	2012 Crypter Private.exe
2176	2012 Crypter Private.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\csrss.exe"	Nem_Prot.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1044 set thread context of 2552	1044	Nem_Prot.exe	32
PID 2552 set thread context of 2224	2552	vbc.exe	33

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-76-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2224-82-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2224-81-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2224-80-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2224-86-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nem_Prot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2012 Crypter Private.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\ProgramData\MyProject\1.0.0:$SS_DESCRIPTOR_XBVLV2PKPV19FKN45LJ8K8M3UKVVVVTJV6VVBVT	Nem_Prot.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_XBVLV2PKPV19FKN45LJ8K8M3UKVVVVTJV6VVBVT	Nem_Prot.exe
File created	C:\ProgramData:$SS_DESCRIPTOR_XBVLV2PKPV19FKN45LJ8K8M3UKVVVVTJV6VVBVT	Nem_Prot.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1044	Nem_Prot.exe
1044	Nem_Prot.exe
1044	Nem_Prot.exe
1044	Nem_Prot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2552	vbc.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1044	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	30
PID 2644 wrote to memory of 1044	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	30
PID 2644 wrote to memory of 1044	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	30
PID 2644 wrote to memory of 1044	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	30
PID 2644 wrote to memory of 1044	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	30
PID 2644 wrote to memory of 1044	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	30
PID 2644 wrote to memory of 1044	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	30
PID 2644 wrote to memory of 2176	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	31
PID 2644 wrote to memory of 2176	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	31
PID 2644 wrote to memory of 2176	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	31
PID 2644 wrote to memory of 2176	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	31
PID 2644 wrote to memory of 2176	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	31
PID 2644 wrote to memory of 2176	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	31
PID 2644 wrote to memory of 2176	2644	JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe	31
PID 1044 wrote to memory of 2552	1044	Nem_Prot.exe	32
PID 1044 wrote to memory of 2552	1044	Nem_Prot.exe	32
PID 1044 wrote to memory of 2552	1044	Nem_Prot.exe	32
PID 1044 wrote to memory of 2552	1044	Nem_Prot.exe	32
PID 1044 wrote to memory of 2552	1044	Nem_Prot.exe	32
PID 1044 wrote to memory of 2552	1044	Nem_Prot.exe	32
PID 1044 wrote to memory of 2552	1044	Nem_Prot.exe	32
PID 1044 wrote to memory of 2552	1044	Nem_Prot.exe	32
PID 1044 wrote to memory of 2552	1044	Nem_Prot.exe	32
PID 1044 wrote to memory of 2552	1044	Nem_Prot.exe	32
PID 1044 wrote to memory of 2552	1044	Nem_Prot.exe	32
PID 2552 wrote to memory of 2224	2552	vbc.exe	33
PID 2552 wrote to memory of 2224	2552	vbc.exe	33
PID 2552 wrote to memory of 2224	2552	vbc.exe	33
PID 2552 wrote to memory of 2224	2552	vbc.exe	33
PID 2552 wrote to memory of 2224	2552	vbc.exe	33
PID 2552 wrote to memory of 2224	2552	vbc.exe	33
PID 2552 wrote to memory of 2224	2552	vbc.exe	33
PID 2552 wrote to memory of 2224	2552	vbc.exe	33
PID 2552 wrote to memory of 2224	2552	vbc.exe	33
PID 2552 wrote to memory of 2224	2552	vbc.exe	33
PID 2552 wrote to memory of 2224	2552	vbc.exe	33
PID 2552 wrote to memory of 2224	2552	vbc.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d2a7770d449ca77cdbaf19427f8df79.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\Nem_Prot.exe
  "C:\Users\Admin\AppData\Local\Temp\Nem_Prot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\MBIeGE3rJK.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2224
- C:\Users\Admin\AppData\Local\Temp\2012 Crypter Private.exe
  "C:\Users\Admin\AppData\Local\Temp\2012 Crypter Private.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MyProject\1.0.0\Data\app.dat

Filesize
971B

MD5
a54616ca338542c656f36f22cce3d519

SHA1
17d58ed9127ef0e8d32dd9971ea2c6c0cc0a1b71

SHA256
bbd8f1c6271e512276354b8eabe1fdf7ca7e97725ccf18574752de4cf73ccbbe

SHA512
ad202ce1e29f585fc6013ef85fcae89dc2e676e0ffe55f17ef31a881e82957b6586d162c19a75c6e90978b854e164f1675b93780f92e6930784c502af644dcff

Download Submit
C:\ProgramData\MyProject\1.0.0\Data\updates.dat

Filesize
971B

MD5
158e64890ffd94348052c0e5e9a8a055

SHA1
bf190042e1676d3c9b9200bc43b534a557e933b7

SHA256
9919ed02f020431057c94657e9da6a1543fd43ba54baebd6ce309d64ff3dd81a

SHA512
706e84f9dc4aa555e4671e2a4a5e350a34e59854d5ba212a70ff63a7b263c4372d8a60b9efb8064b0bcbbcd86d948b07691292955e022d2384a5eccd4828b8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBIeGE3rJK.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\MyProject\1.0.0\Data\dya.dat

Filesize
971B

MD5
0dfa5304635a7e1491604fac009e0ad3

SHA1
8ea79be6d2527df61993f8a548c969245808a1bc

SHA256
b663c62dc35c77c4461e6b153f7b80b6a9e0d4a705270073c08fe577e027a5b0

SHA512
f9d5ea90f90cd732ec247b701167f79f0537b2e91047dc9bfdb34efc651321a4d2f3deefa908d62d335f7e595f98c78ab9d4697523bf645caeddc6082b1d7af8

Download Submit
\Users\Admin\AppData\Local\Temp\2012 Crypter Private.exe

Filesize
1.7MB

MD5
9b160f64ce82250a60c37ac850edac66

SHA1
3f04afc08c2c9297ab2ba680e99dbad0534baccc

SHA256
9a216462b63d975f7ed20a2dd6583d38298041d81f75bdba3a8dcbad2b625e11

SHA512
f6bf6b52d73665b60f73e5d8617830629a623b266fe2cfda1b1a5b09bb44dc95288acc26766e72d81aa9b3a7f46252b84ade97f2d85be47e5e81d83f7d49a5ad

Download Submit
\Users\Admin\AppData\Local\Temp\Nem_Prot.exe

Filesize
676KB

MD5
3f10ad143d833ab72cd52ae16b6c1cff

SHA1
1a225e19693da9ada3ba0566269436e530836328

SHA256
142218d4796ae6f14953fa238f29923d6007cde3e2eacd2c8a27dbd0904d0cc9

SHA512
2db36e22dc0b0728e9cb75fd46dae80664fe7be300536ecaf2804db38536590e93f7f8806cdd705fbe7be8e31d93ffe1167f99c75cdc96a8020df7fb2793ef61

Download Submit
memory/1044-79-0x000000000043C000-0x00000000004DE000-memory.dmp

Filesize
648KB

Download
memory/1044-78-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1044-20-0x000000000043C000-0x00000000004DE000-memory.dmp

Filesize
648KB

Download
memory/2224-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2224-76-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2224-82-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2224-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2224-86-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2552-66-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2552-102-0x0000000000440000-0x00000000005C1000-memory.dmp

Filesize
1.5MB

Download
memory/2552-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download