isrstealer | d60f48dae99039d7aa7e522c0b25217954345efb91ffca77cd5cb1bacd52df30

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_948d1a5feca77f43e96988e923182315.exe
Size

404KB
MD5

948d1a5feca77f43e96988e923182315
SHA1

279484d086ac209217dec5572dfde14528dfceda
SHA256

d60f48dae99039d7aa7e522c0b25217954345efb91ffca77cd5cb1bacd52df30
SHA512

91819811553ddc79c40a3621dfff4eb447c35765ce6d490fb5c23140c851c9ffee8847bd859da3bd600d6e5cbcdd07e0df8e9d867db61b0dc2d30586e0eaf7ba
SSDEEP

6144:OdiQS0Nluv18K0UF4csKa7YTHKTXxNteM3dauJqxbvkP0GbSI/KN/7SNw:OdiQS0ruv1b0U6qmBNxguJq5vEOs

Score

10^/10

isrstealer collection discovery stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/2692-22-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/2692-26-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/2692-41-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/2692-47-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/2692-49-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2604-44-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2604-46-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2604-44-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2604-46-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 2692	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	33
PID 2692 set thread context of 2828	2692	vbc.exe	34
PID 2692 set thread context of 2604	2692	vbc.exe	36

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2828-31-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2828-36-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2828-34-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2828-33-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2828-39-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2604-42-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2604-43-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2604-44-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2604-46-0x0000000000400000-0x000000000041F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	vbc.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2380	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	30
PID 2528 wrote to memory of 2380	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	30
PID 2528 wrote to memory of 2380	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	30
PID 2528 wrote to memory of 2380	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	30
PID 2380 wrote to memory of 2140	2380	csc.exe	32
PID 2380 wrote to memory of 2140	2380	csc.exe	32
PID 2380 wrote to memory of 2140	2380	csc.exe	32
PID 2380 wrote to memory of 2140	2380	csc.exe	32
PID 2528 wrote to memory of 2692	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	33
PID 2528 wrote to memory of 2692	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	33
PID 2528 wrote to memory of 2692	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	33
PID 2528 wrote to memory of 2692	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	33
PID 2528 wrote to memory of 2692	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	33
PID 2528 wrote to memory of 2692	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	33
PID 2528 wrote to memory of 2692	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	33
PID 2528 wrote to memory of 2692	2528	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	33
PID 2692 wrote to memory of 2828	2692	vbc.exe	34
PID 2692 wrote to memory of 2828	2692	vbc.exe	34
PID 2692 wrote to memory of 2828	2692	vbc.exe	34
PID 2692 wrote to memory of 2828	2692	vbc.exe	34
PID 2692 wrote to memory of 2828	2692	vbc.exe	34
PID 2692 wrote to memory of 2828	2692	vbc.exe	34
PID 2692 wrote to memory of 2828	2692	vbc.exe	34
PID 2692 wrote to memory of 2828	2692	vbc.exe	34
PID 2692 wrote to memory of 2828	2692	vbc.exe	34
PID 2692 wrote to memory of 2604	2692	vbc.exe	36
PID 2692 wrote to memory of 2604	2692	vbc.exe	36
PID 2692 wrote to memory of 2604	2692	vbc.exe	36
PID 2692 wrote to memory of 2604	2692	vbc.exe	36
PID 2692 wrote to memory of 2604	2692	vbc.exe	36
PID 2692 wrote to memory of 2604	2692	vbc.exe	36
PID 2692 wrote to memory of 2604	2692	vbc.exe	36
PID 2692 wrote to memory of 2604	2692	vbc.exe	36
PID 2692 wrote to memory of 2604	2692	vbc.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_948d1a5feca77f43e96988e923182315.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_948d1a5feca77f43e96988e923182315.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ylcp0_ut.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA14F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA14E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\RxwqIScY3d.ini"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\aHMW3vbbei.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA14F.tmp

Filesize
1KB

MD5
9a40c831c6d58240b98c985cd65d9fc8

SHA1
d3a1adc90575878bc362ccfe1c3661bee47db135

SHA256
5336db96eb6a3dc09ec7a93ad8d14be0a2f743f4a904147c4579848af65ee05e

SHA512
c9c575139d86c1e1e506fd5702ccc53dacb7fd19c1d621ff964175e480ce3d3da94e80ba783ea1b017062f669174858562bf9dd580dfcecac63b9b89e38ad73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RxwqIScY3d.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylcp0_ut.dll

Filesize
5KB

MD5
f0cab406719671d6d46179f8a18305cb

SHA1
f601d041837a67d853605e82e71c65678a6172a8

SHA256
32363455b570314015cbc6e6de965d8eaebb10a22b050f5b13908a7274bd52ae

SHA512
5e9b8bd425f27130646d852675afc45d1e28a4eeabd34b177d7c00a87c63996f6c0f7d2c39cb327807460283af45f2a7ca03e91a2d5b20cd0cf15f3135a7a25f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA14E.tmp

Filesize
652B

MD5
9aabe951c8baa325468607a4ec9b3f7c

SHA1
ffe4c9bbba2e453cefa4fa9b5f5400b1a9e20b7f

SHA256
380c4cc9cc718fd276845029c1784d116be709be9102c61dd66b0b1fef1f4eb2

SHA512
7cfe6eb7ef54eef522cd566959948b88a7dd672682e80205852b3ebe4c096490dedd1079f741ee3b94a16302de6ad75abec13564556f299030156be3d5d6f93f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylcp0_ut.0.cs

Filesize
4KB

MD5
b63430207638c1a36b9b27002e0da3da

SHA1
54356082f32c71498c4ac5f85f4588e0d1c57ad0

SHA256
fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193

SHA512
29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylcp0_ut.cmdline

Filesize
206B

MD5
081f57324c740c35c822823a6e247bd7

SHA1
dc6148c2dd0f528047cbfbb85097a3a33c6051e3

SHA256
cafb1d9f16d57b8420485fc26d81e8e999b6eefbc2d03141b43d3355c8c6dbf9

SHA512
a402444820f8f698017bf3e029a26d37ca93424f60e033034df85d59dc3e762267c5a79186963df9cd0d073bb5f5440a7a3321835da6b256748b0808b812a899

Download Submit
memory/2380-8-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-15-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-1-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-0-0x0000000074C61000-0x0000000074C62000-memory.dmp

Filesize
4KB

Download
memory/2528-2-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-35-0x0000000074C60000-0x000000007520B000-memory.dmp

Filesize
5.7MB

Download
memory/2604-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2604-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2604-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2604-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2692-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-49-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2828-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-34-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-36-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-31-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download