isrstealer | d60f48dae99039d7aa7e522c0b25217954345efb91ffca77cd5cb1bacd52df30

Analysis

max time kernel
103s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_948d1a5feca77f43e96988e923182315.exe
Size

404KB
MD5

948d1a5feca77f43e96988e923182315
SHA1

279484d086ac209217dec5572dfde14528dfceda
SHA256

d60f48dae99039d7aa7e522c0b25217954345efb91ffca77cd5cb1bacd52df30
SHA512

91819811553ddc79c40a3621dfff4eb447c35765ce6d490fb5c23140c851c9ffee8847bd859da3bd600d6e5cbcdd07e0df8e9d867db61b0dc2d30586e0eaf7ba
SSDEEP

6144:OdiQS0Nluv18K0UF4csKa7YTHKTXxNteM3dauJqxbvkP0GbSI/KN/7SNw:OdiQS0ruv1b0U6qmBNxguJq5vEOs

Score

10^/10

isrstealer collection discovery stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4796-18-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4796-21-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4796-39-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4796-47-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1920-38-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1920-40-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1920-43-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1920-38-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1920-40-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1920-43-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 4796	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	92
PID 4796 set thread context of 1516	4796	vbc.exe	93
PID 4796 set thread context of 1920	4796	vbc.exe	99

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1516-25-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1516-29-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1516-28-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1516-27-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1516-32-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1920-34-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1920-37-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1920-38-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1920-40-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1920-43-0x0000000000400000-0x000000000041F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4796	vbc.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3240	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	89
PID 2776 wrote to memory of 3240	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	89
PID 2776 wrote to memory of 3240	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	89
PID 3240 wrote to memory of 2224	3240	csc.exe	91
PID 3240 wrote to memory of 2224	3240	csc.exe	91
PID 3240 wrote to memory of 2224	3240	csc.exe	91
PID 2776 wrote to memory of 4796	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	92
PID 2776 wrote to memory of 4796	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	92
PID 2776 wrote to memory of 4796	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	92
PID 2776 wrote to memory of 4796	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	92
PID 2776 wrote to memory of 4796	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	92
PID 2776 wrote to memory of 4796	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	92
PID 2776 wrote to memory of 4796	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	92
PID 2776 wrote to memory of 4796	2776	JaffaCakes118_948d1a5feca77f43e96988e923182315.exe	92
PID 4796 wrote to memory of 1516	4796	vbc.exe	93
PID 4796 wrote to memory of 1516	4796	vbc.exe	93
PID 4796 wrote to memory of 1516	4796	vbc.exe	93
PID 4796 wrote to memory of 1516	4796	vbc.exe	93
PID 4796 wrote to memory of 1516	4796	vbc.exe	93
PID 4796 wrote to memory of 1516	4796	vbc.exe	93
PID 4796 wrote to memory of 1516	4796	vbc.exe	93
PID 4796 wrote to memory of 1516	4796	vbc.exe	93
PID 4796 wrote to memory of 1920	4796	vbc.exe	99
PID 4796 wrote to memory of 1920	4796	vbc.exe	99
PID 4796 wrote to memory of 1920	4796	vbc.exe	99
PID 4796 wrote to memory of 1920	4796	vbc.exe	99
PID 4796 wrote to memory of 1920	4796	vbc.exe	99
PID 4796 wrote to memory of 1920	4796	vbc.exe	99
PID 4796 wrote to memory of 1920	4796	vbc.exe	99
PID 4796 wrote to memory of 1920	4796	vbc.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_948d1a5feca77f43e96988e923182315.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_948d1a5feca77f43e96988e923182315.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rqh0woov.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB64.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAB63.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\G31XQM05TP.ini"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1516
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\uWvwQl8qNJ.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\G31XQM05TP.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAB64.tmp

Filesize
1KB

MD5
abda0e8d41b77be39b305a9a2f1a6eaa

SHA1
ef58f89f36b385d8fc80779a893ca7316cf20593

SHA256
269300f11a125f0cb97c95628a2826badd7a00b089221f245f4862cb82b569fc

SHA512
0582bf7fe76e6bb41ecce379b3147be23bfaab05ecb558020cb60c5495549b319914f0c2f305250edde6c5c64b26829a65d5a8d07d7c1c533415582041b217f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqh0woov.dll

Filesize
5KB

MD5
1600d4c247e73dcd803135630e2f24f6

SHA1
2780563624976af60558fbfde4a864cffb9e7eea

SHA256
f3d5645387f2bc4e3314930cbfd0e784f237f86d718c0648cb9af328ac2d4ae7

SHA512
eff056711565f7f1529e7c876c60037b16cb0472e0b144bf2d747eb74cb2a89a3033d241e295697f3bfcf9f56ab4264ef80e054acb60786b5b6a52238344ce64

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAB63.tmp

Filesize
652B

MD5
fe99c8820f7c5722efc18b631d5ad842

SHA1
fa604646c8ea5168005aab757f759fc10545f73e

SHA256
510928fb0a8262977581ca04d5cee8c02bb479ccebb780cda7dc865bfd26686b

SHA512
676c653fb9a654e441bc470093c5ffef5296fdd5d0b98b72afa620c555009552d2f2128a6636e52f70e8f5f6b784724e3fc05454eb12dcf56efc9e808e9bc4a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rqh0woov.0.cs

Filesize
4KB

MD5
b63430207638c1a36b9b27002e0da3da

SHA1
54356082f32c71498c4ac5f85f4588e0d1c57ad0

SHA256
fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193

SHA512
29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rqh0woov.cmdline

Filesize
206B

MD5
a5d2d6935b123e779bb55f056f8286b0

SHA1
714f24795a3fc2ff09978294d69acf73e48ecda5

SHA256
af181f143bcf341920cec18e368bbec32681c00dedbbc24ece23dab550c0c063

SHA512
ecfc01fde5e36f42dfc5ec2a4e6dd365c7af9683421d5530da41e0aa2b7138aaa80f191d217718f8872b2c5866933c46818a8c3436e1effb6e4465b559f6f96b

Download Submit
memory/1516-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1516-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1516-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1516-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1516-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1920-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-38-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2776-2-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2776-0-0x0000000074902000-0x0000000074903000-memory.dmp

Filesize
4KB

Download
memory/2776-1-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2776-23-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/3240-10-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/3240-15-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4796-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-45-0x0000000000450000-0x0000000000519000-memory.dmp

Filesize
804KB

Download
memory/4796-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download