isrstealer | 2c110832981d01f0214ea91cc248e8110f1272d0eec82f416b9d5c1382ab330e

General

Target

JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe
Size

1.6MB
MD5

13c8388330ef35426067eb1126dc9e50
SHA1

93b517738e76404e5d30345e21a20e90845f929e
SHA256

2c110832981d01f0214ea91cc248e8110f1272d0eec82f416b9d5c1382ab330e
SHA512

e13fce18c37ad6274667d37e01cd64fd8c6b9f972708ff0534c5856e198750a5efbb7fec2091e14551cf9bd8220745eb0a8f692119cd347a11f86eca57bb79ee
SSDEEP

49152:rvZebB0XQPgYKSCyHaPLNkkQNd7tNTAAr:jsbBJKSPHaDqkQN5DTAa

Score

10^/10

isrstealer discovery spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/43948-85670-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/43948-85667-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/43948-85681-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Executes dropped EXE 3 IoCs

pid	Process
2804	WirelessMon.exe
2728	lol.exe
43948	lol.exe

Loads dropped DLL 12 IoCs

pid	Process
2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe
2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe
2804	WirelessMon.exe
2804	WirelessMon.exe
2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe
2728	lol.exe
2728	lol.exe
2728	lol.exe
2728	lol.exe
43948	lol.exe
43948	lol.exe
43948	lol.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 43948	2728	lol.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WirelessMon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
43948	lol.exe
43948	lol.exe
43948	lol.exe
43948	lol.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2728	lol.exe
43948	lol.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2804	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	30
PID 2684 wrote to memory of 2804	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	30
PID 2684 wrote to memory of 2804	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	30
PID 2684 wrote to memory of 2804	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	30
PID 2684 wrote to memory of 2804	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	30
PID 2684 wrote to memory of 2804	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	30
PID 2684 wrote to memory of 2804	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	30
PID 2684 wrote to memory of 2728	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	31
PID 2684 wrote to memory of 2728	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	31
PID 2684 wrote to memory of 2728	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	31
PID 2684 wrote to memory of 2728	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	31
PID 2684 wrote to memory of 2728	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	31
PID 2684 wrote to memory of 2728	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	31
PID 2684 wrote to memory of 2728	2684	JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe	31
PID 2728 wrote to memory of 43948	2728	lol.exe	33
PID 2728 wrote to memory of 43948	2728	lol.exe	33
PID 2728 wrote to memory of 43948	2728	lol.exe	33
PID 2728 wrote to memory of 43948	2728	lol.exe	33
PID 2728 wrote to memory of 43948	2728	lol.exe	33
PID 2728 wrote to memory of 43948	2728	lol.exe	33
PID 2728 wrote to memory of 43948	2728	lol.exe	33
PID 2728 wrote to memory of 43948	2728	lol.exe	33
PID 2728 wrote to memory of 43948	2728	lol.exe	33
PID 2728 wrote to memory of 43948	2728	lol.exe	33
PID 2728 wrote to memory of 43948	2728	lol.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\WirelessMon.exe
  "C:\Users\Admin\AppData\Local\Temp\WirelessMon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\lol.exe
  "C:\Users\Admin\AppData\Local\Temp\lol.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\lol.exe
    "C:\Users\Admin\AppData\Local\Temp\lol.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:43948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\WirelessMon.exe

Filesize
3.9MB

MD5
852a30b13c55f91c03c7d95affc352d2

SHA1
a08cd26605043931bec9359f2db4f4e1f757500d

SHA256
dbc90191fb29b76de336b49f822fff8d5c68717a497bee5212302a2ae0ffe7e1

SHA512
f62ba038c91fde4096c9126a1ff763b610245deedc1d7f2589fcbdfbd99d8565d78f37248721464040f1ca795d2aea8f2ca0575e50b4fc45629b2dda803169b2

Download Submit
\Users\Admin\AppData\Local\Temp\lol.exe

Filesize
223KB

MD5
81a53142e4c2449072cf3fe30da5125e

SHA1
8bb7d8412cdabca78cf35d3f884988a83f51b03d

SHA256
915ea44cfc6fe8417648d29ec180300f9e413c3d44e5afcf10627ebf42e77c19

SHA512
18d7d7d4556bda3f1cc63956873635882a164dfe47cc425585b398616041ac6f703af3b4599599e0d5dd4ef034b975b30e99700621e79acac5abb8dfb7514e0c

Download Submit
memory/2684-9-0x0000000002F50000-0x0000000003359000-memory.dmp

Filesize
4.0MB

Download
memory/2728-75956-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2804-71867-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/2804-68945-0x0000000000D70000-0x0000000001179000-memory.dmp

Filesize
4.0MB

Download
memory/2804-23-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/2804-24-0x0000000000D70000-0x0000000001179000-memory.dmp

Filesize
4.0MB

Download
memory/43948-85663-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/43948-85665-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/43948-85670-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/43948-85669-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/43948-85667-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/43948-85681-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing