isrstealer | 037a0339ca4b98fd007be379ec2c373581844440cfde32365a42551b0d38fb0d

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
17/03/2025, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
Size

2.8MB
MD5

7e2819ee5d4b6c85a23623599d6296d1
SHA1

44cd2d86ba52202b11b171570237f6007019005f
SHA256

037a0339ca4b98fd007be379ec2c373581844440cfde32365a42551b0d38fb0d
SHA512

53c893ab4bb386a87c6f84f8643105797a3b03b22bdbcd05cb13e8166d890d0e56d57eb5ad6290c8b8df4aa81845a77aa9b58d799041b3f17955eeee04398b3e
SSDEEP

49152:sXi8Z3dnHh9GVXYWmr7IKDvYq3j/DW2VBaB0:

Score

10^/10

isrstealer collection discovery stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1928-136-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1928-139-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1928-152-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1928-161-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2420-156-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2420-159-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2420-156-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2420-159-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Executes dropped EXE 3 IoCs

pid	Process
2532	fsSetup136s.exe
2404	dll3.exe
2896	fsSetup136s.exe

Loads dropped DLL 16 IoCs

pid	Process
1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
2532	fsSetup136s.exe
2532	fsSetup136s.exe
1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
2404	dll3.exe
2404	dll3.exe
2404	dll3.exe
2532	fsSetup136s.exe
2532	fsSetup136s.exe
2532	fsSetup136s.exe
2896	fsSetup136s.exe
2896	fsSetup136s.exe
2896	fsSetup136s.exe
2896	fsSetup136s.exe
2896	fsSetup136s.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2404 set thread context of 1928	2404	dll3.exe	34
PID 1928 set thread context of 536	1928	vbc.exe	35
PID 1928 set thread context of 2420	1928	vbc.exe	37

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/536-143-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/536-145-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/536-144-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/536-146-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/536-150-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2420-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2420-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2420-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2420-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2420-159-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dll3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsSetup136s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsSetup136s.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2896	fsSetup136s.exe
2896	fsSetup136s.exe
2896	fsSetup136s.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2896	fsSetup136s.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1928	vbc.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2532	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	31
PID 1484 wrote to memory of 2532	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	31
PID 1484 wrote to memory of 2532	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	31
PID 1484 wrote to memory of 2532	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	31
PID 1484 wrote to memory of 2532	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	31
PID 1484 wrote to memory of 2532	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	31
PID 1484 wrote to memory of 2532	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	31
PID 1484 wrote to memory of 2404	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	32
PID 1484 wrote to memory of 2404	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	32
PID 1484 wrote to memory of 2404	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	32
PID 1484 wrote to memory of 2404	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	32
PID 1484 wrote to memory of 2404	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	32
PID 1484 wrote to memory of 2404	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	32
PID 1484 wrote to memory of 2404	1484	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	32
PID 2532 wrote to memory of 2896	2532	fsSetup136s.exe	33
PID 2532 wrote to memory of 2896	2532	fsSetup136s.exe	33
PID 2532 wrote to memory of 2896	2532	fsSetup136s.exe	33
PID 2532 wrote to memory of 2896	2532	fsSetup136s.exe	33
PID 2532 wrote to memory of 2896	2532	fsSetup136s.exe	33
PID 2532 wrote to memory of 2896	2532	fsSetup136s.exe	33
PID 2532 wrote to memory of 2896	2532	fsSetup136s.exe	33
PID 2404 wrote to memory of 1928	2404	dll3.exe	34
PID 2404 wrote to memory of 1928	2404	dll3.exe	34
PID 2404 wrote to memory of 1928	2404	dll3.exe	34
PID 2404 wrote to memory of 1928	2404	dll3.exe	34
PID 2404 wrote to memory of 1928	2404	dll3.exe	34
PID 2404 wrote to memory of 1928	2404	dll3.exe	34
PID 2404 wrote to memory of 1928	2404	dll3.exe	34
PID 2404 wrote to memory of 1928	2404	dll3.exe	34
PID 2404 wrote to memory of 1928	2404	dll3.exe	34
PID 2404 wrote to memory of 1928	2404	dll3.exe	34
PID 2404 wrote to memory of 1928	2404	dll3.exe	34
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 536	1928	vbc.exe	35
PID 1928 wrote to memory of 2420	1928	vbc.exe	37
PID 1928 wrote to memory of 2420	1928	vbc.exe	37
PID 1928 wrote to memory of 2420	1928	vbc.exe	37
PID 1928 wrote to memory of 2420	1928	vbc.exe	37
PID 1928 wrote to memory of 2420	1928	vbc.exe	37
PID 1928 wrote to memory of 2420	1928	vbc.exe	37
PID 1928 wrote to memory of 2420	1928	vbc.exe	37
PID 1928 wrote to memory of 2420	1928	vbc.exe	37
PID 1928 wrote to memory of 2420	1928	vbc.exe	37
PID 1928 wrote to memory of 2420	1928	vbc.exe	37
PID 1928 wrote to memory of 2420	1928	vbc.exe	37
PID 1928 wrote to memory of 2420	1928	vbc.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe
  "C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\dll3.exe
  "C:\Users\Admin\AppData\Local\Temp\dll3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\RG4FehwRxD.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:536
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\obOSFLLNJj.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RG4FehwRxD.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\ShortcutAsk.ini

Filesize
449B

MD5
3778a879f81c1ea564bf788df05a1440

SHA1
570a1bd1b66a1c2689eab5f0e9143c2da532e30c

SHA256
6637155b192dd47a574e17df216338cad28ef81e513076d19354bfabf22909df

SHA512
ff40627f2709ac793c30d4b0f940e4ab3f77c114d1f174a008cb5106a458c428f47786280a9361442573b184a02618aa41daa5c8196ae677f2bdb7cd0430e265

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\ioSpecial.ini

Filesize
1KB

MD5
40ec128b2690808c387b1ba94def63f5

SHA1
55220fb399164417b9910792d958463bc1ccd049

SHA256
f6ace0fa52d5aea30eb15337bb94108377338cdcc08bedf944b69aac1785aeb0

SHA512
b7c0f7eed49df58b0b2bcdfa8e4a5d26a71f3a3a8d873a5188586acde55540f0667328b20e7daea033c145e1c5cad390edd2722d0831b5da99d278a9b5b10c4a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe

Filesize
1.7MB

MD5
179972cf4d030dcef96ab54f19e33fd1

SHA1
7fd0e9a351dd84e6cd0b35ff265e73659e7e2621

SHA256
1421dd4cde79403511f33731bd488ef1f8ffb82e7f10f99fa77f1eae12c23df3

SHA512
6ed3cfef47e2517b0e5ca2210c16df2b9d4d2d660896b58461dccae52b97417df7b9067a3f4ac2497bd1680b130d1f7c3721f011ba06ba709f754473f148c395

Download Submit
\Users\Admin\AppData\Local\Temp\dll3.exe

Filesize
311KB

MD5
acffd660aabd9b783ceeaa5fa8592708

SHA1
84df5ff0eef89f3aae125c6b9c4477358ae978a5

SHA256
9af536e7f0bf8abc46ad8f15e1988e5d2b25e230cf2480cc86918a46dc638aa9

SHA512
8ee30afa0ac3c5bc741354deafb30bed61cb1ae9748c6e7b21be8a3d51912cddd405b3c5727a2c792c9a45692051e9ebd5df306192246389493470317ba10f31

Download Submit
\Users\Admin\AppData\Local\Temp\fsSetup136s.exe

Filesize
1.8MB

MD5
1c22db154885c5f27659aa405437d547

SHA1
0c44c939e479fd9d680e753f541b301f81de41d9

SHA256
2b0d6ce75d59779372d5ade39dfacba563d78f068081a6fb399455060d47befa

SHA512
91988977a3736bae5df38194deb320ea55e4aa4453297f3634c66cd60010a30ff7d8bfa811d549e8554f30beeb069417a32b9a81722629b0d8828eda000c83e2

Download Submit
\Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\InstallOptions.dll

Filesize
15KB

MD5
8ea4a187f656fdc65f1cc256d3bf7ce3

SHA1
5d0789933890708986e1f8d23ac6b5d7a8ef61e4

SHA256
97591a15ccb7cc007820584f237e919db7a4e9383e9fcb8c16d79cfb95f7ca3c

SHA512
d47b592a5fd40f7ed158a7a91944f6464fb04fdbca796c13b29f518d43205382b75503d8702fc14c1dad47abacba34ef47371dfaa2443f6b61a1f9cf106064b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\LangDLL.dll

Filesize
5KB

MD5
e0423e0ff58a8c622b2ad11873337d03

SHA1
05d5f1c5b2091b8f654bfd8b63cf0681ae0ee8cf

SHA256
fbb5410516fd54982a0047ba69d555857d4df74f7df73fbf903e2e0c8c09e12a

SHA512
cae1520d290a4a7f26df2442ee4be66e2b24eb180b46b48fc55ddfe1d57e3d16acdf1290a7a235896a127135d2f0b1bee128d76dea1f39baafedc0794f4a1b73

Download Submit
\Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
memory/536-146-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/536-143-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/536-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/536-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/536-150-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1484-0-0x0000000074872000-0x0000000074874000-memory.dmp

Filesize
8KB

Download
memory/1928-138-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1928-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1928-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1928-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1928-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1928-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1928-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download