isrstealer | 037a0339ca4b98fd007be379ec2c373581844440cfde32365a42551b0d38fb0d

Analysis

max time kernel
104s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2025, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
Size

2.8MB
MD5

7e2819ee5d4b6c85a23623599d6296d1
SHA1

44cd2d86ba52202b11b171570237f6007019005f
SHA256

037a0339ca4b98fd007be379ec2c373581844440cfde32365a42551b0d38fb0d
SHA512

53c893ab4bb386a87c6f84f8643105797a3b03b22bdbcd05cb13e8166d890d0e56d57eb5ad6290c8b8df4aa81845a77aa9b58d799041b3f17955eeee04398b3e
SSDEEP

49152:sXi8Z3dnHh9GVXYWmr7IKDvYq3j/DW2VBaB0:

Score

10^/10

isrstealer collection discovery stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4660-39-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4660-41-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4660-141-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4660-149-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2536-145-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/2536-148-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2536-145-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/2536-148-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	fsSetup136s.exe

Executes dropped EXE 3 IoCs

pid	Process
2736	fsSetup136s.exe
3048	dll3.exe
4572	fsSetup136s.exe

Loads dropped DLL 3 IoCs

pid	Process
4572	fsSetup136s.exe
4572	fsSetup136s.exe
4572	fsSetup136s.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 4660	3048	dll3.exe	91
PID 4660 set thread context of 4540	4660	vbc.exe	92
PID 4660 set thread context of 2536	4660	vbc.exe	93

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4540-45-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4540-51-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4540-47-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4540-46-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2536-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2536-144-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2536-145-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2536-148-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsSetup136s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsSetup136s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dll3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4572	fsSetup136s.exe
4572	fsSetup136s.exe
4572	fsSetup136s.exe
4572	fsSetup136s.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4572	fsSetup136s.exe
4660	vbc.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2736	2848	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	87
PID 2848 wrote to memory of 2736	2848	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	87
PID 2848 wrote to memory of 2736	2848	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	87
PID 2848 wrote to memory of 3048	2848	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	88
PID 2848 wrote to memory of 3048	2848	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	88
PID 2848 wrote to memory of 3048	2848	JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe	88
PID 2736 wrote to memory of 4572	2736	fsSetup136s.exe	89
PID 2736 wrote to memory of 4572	2736	fsSetup136s.exe	89
PID 2736 wrote to memory of 4572	2736	fsSetup136s.exe	89
PID 3048 wrote to memory of 4660	3048	dll3.exe	91
PID 3048 wrote to memory of 4660	3048	dll3.exe	91
PID 3048 wrote to memory of 4660	3048	dll3.exe	91
PID 3048 wrote to memory of 4660	3048	dll3.exe	91
PID 3048 wrote to memory of 4660	3048	dll3.exe	91
PID 3048 wrote to memory of 4660	3048	dll3.exe	91
PID 3048 wrote to memory of 4660	3048	dll3.exe	91
PID 3048 wrote to memory of 4660	3048	dll3.exe	91
PID 4660 wrote to memory of 4540	4660	vbc.exe	92
PID 4660 wrote to memory of 4540	4660	vbc.exe	92
PID 4660 wrote to memory of 4540	4660	vbc.exe	92
PID 4660 wrote to memory of 4540	4660	vbc.exe	92
PID 4660 wrote to memory of 4540	4660	vbc.exe	92
PID 4660 wrote to memory of 4540	4660	vbc.exe	92
PID 4660 wrote to memory of 4540	4660	vbc.exe	92
PID 4660 wrote to memory of 4540	4660	vbc.exe	92
PID 4660 wrote to memory of 2536	4660	vbc.exe	93
PID 4660 wrote to memory of 2536	4660	vbc.exe	93
PID 4660 wrote to memory of 2536	4660	vbc.exe	93
PID 4660 wrote to memory of 2536	4660	vbc.exe	93
PID 4660 wrote to memory of 2536	4660	vbc.exe	93
PID 4660 wrote to memory of 2536	4660	vbc.exe	93
PID 4660 wrote to memory of 2536	4660	vbc.exe	93
PID 4660 wrote to memory of 2536	4660	vbc.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe
  "C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4572
- C:\Users\Admin\AppData\Local\Temp\dll3.exe
  "C:\Users\Admin\AppData\Local\Temp\dll3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\bACPbTgy5j.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\bAsP3p4dHo.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe

Filesize
1.7MB

MD5
179972cf4d030dcef96ab54f19e33fd1

SHA1
7fd0e9a351dd84e6cd0b35ff265e73659e7e2621

SHA256
1421dd4cde79403511f33731bd488ef1f8ffb82e7f10f99fa77f1eae12c23df3

SHA512
6ed3cfef47e2517b0e5ca2210c16df2b9d4d2d660896b58461dccae52b97417df7b9067a3f4ac2497bd1680b130d1f7c3721f011ba06ba709f754473f148c395

Download Submit
C:\Users\Admin\AppData\Local\Temp\bACPbTgy5j.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll3.exe

Filesize
311KB

MD5
acffd660aabd9b783ceeaa5fa8592708

SHA1
84df5ff0eef89f3aae125c6b9c4477358ae978a5

SHA256
9af536e7f0bf8abc46ad8f15e1988e5d2b25e230cf2480cc86918a46dc638aa9

SHA512
8ee30afa0ac3c5bc741354deafb30bed61cb1ae9748c6e7b21be8a3d51912cddd405b3c5727a2c792c9a45692051e9ebd5df306192246389493470317ba10f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe

Filesize
1.8MB

MD5
1c22db154885c5f27659aa405437d547

SHA1
0c44c939e479fd9d680e753f541b301f81de41d9

SHA256
2b0d6ce75d59779372d5ade39dfacba563d78f068081a6fb399455060d47befa

SHA512
91988977a3736bae5df38194deb320ea55e4aa4453297f3634c66cd60010a30ff7d8bfa811d549e8554f30beeb069417a32b9a81722629b0d8828eda000c83e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\InstallOptions.dll

Filesize
15KB

MD5
8ea4a187f656fdc65f1cc256d3bf7ce3

SHA1
5d0789933890708986e1f8d23ac6b5d7a8ef61e4

SHA256
97591a15ccb7cc007820584f237e919db7a4e9383e9fcb8c16d79cfb95f7ca3c

SHA512
d47b592a5fd40f7ed158a7a91944f6464fb04fdbca796c13b29f518d43205382b75503d8702fc14c1dad47abacba34ef47371dfaa2443f6b61a1f9cf106064b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\LangDLL.dll

Filesize
5KB

MD5
e0423e0ff58a8c622b2ad11873337d03

SHA1
05d5f1c5b2091b8f654bfd8b63cf0681ae0ee8cf

SHA256
fbb5410516fd54982a0047ba69d555857d4df74f7df73fbf903e2e0c8c09e12a

SHA512
cae1520d290a4a7f26df2442ee4be66e2b24eb180b46b48fc55ddfe1d57e3d16acdf1290a7a235896a127135d2f0b1bee128d76dea1f39baafedc0794f4a1b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\ShortcutAsk.ini

Filesize
436B

MD5
b8a4c5e1709cfee4f7447d9966b6be8c

SHA1
5b50d94b44d3587aff9f8fe4caca561a988e3782

SHA256
191346888e5536eeea10c4239c3e6fcfa643cdd2294cb75215c7e8d0df334af5

SHA512
048237802ea448bf59ac8c334eed96ab8f85efb22b05d9fef14b9f53110da96aec829eb13e5b7f167c5b902c99ea7c9df669214c09fb525e6bc040772e74e9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\ioSpecial.ini

Filesize
1KB

MD5
ebc7395a58b541a0cec76fdb0ee4f542

SHA1
172c75957a66feca9c8d663a00d1491a01e488e2

SHA256
b0dbb70428b31e7d030ebd1215af1ff6082e1c4120aafdffe66b4b4999b52171

SHA512
49444f14a89e03ea373756b4d830b480242ec3c6892402c2ff97ca585d6ca6a383adb7a9724b94cd8ca666d5986798cdb5716d90ecb77464d6c75612cdc3cca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
memory/2536-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2536-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2536-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2536-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2848-2-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/2848-1-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/2848-0-0x0000000074F62000-0x0000000074F63000-memory.dmp

Filesize
4KB

Download
memory/2848-20-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/3048-22-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/3048-44-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/3048-21-0x0000000074F60000-0x0000000075511000-memory.dmp

Filesize
5.7MB

Download
memory/4540-46-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4540-47-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4540-51-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4540-49-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/4540-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4660-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4660-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4660-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4660-149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download