strela | 32d14ea85053943fb0d99b86ebad7a974d6afc460dfaeb57afa90a974f18da99

General

Target

document3044011243.js
Size

976KB
MD5

c7a0d6962c3a798b4d6603a41e9a8647
SHA1

7ab2a4088f1a66b33a7b02f40d255427e319afbc
SHA256

32d14ea85053943fb0d99b86ebad7a974d6afc460dfaeb57afa90a974f18da99
SHA512

5f59c33b9c765dc3cc874693b4598fd23a11d3d39501cf452810e71416d5164914bbfd63b95e9d556ecb317783d383b373518d367f2702ee16461c30717225b6
SSDEEP

12288:fwERJLB3YMdX3uMYmlRdex/TSJaSGVobPb2NCYxY8:NV9nuM+AJaSaobPKB

Score

10^/10

strela stealer

Malware Config

Extracted

Family

strela

C2

91.215.85.209

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 4 IoCs

pid	Process
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2068	2896	wscript.exe	28
PID 2896 wrote to memory of 2068	2896	wscript.exe	28
PID 2896 wrote to memory of 2068	2896	wscript.exe	28
PID 2068 wrote to memory of 2852	2068	cmd.exe	30
PID 2068 wrote to memory of 2852	2068	cmd.exe	30
PID 2068 wrote to memory of 2852	2068	cmd.exe	30
PID 2068 wrote to memory of 3016	2068	cmd.exe	31
PID 2068 wrote to memory of 3016	2068	cmd.exe	31
PID 2068 wrote to memory of 3016	2068	cmd.exe	31
PID 2068 wrote to memory of 3024	2068	cmd.exe	32
PID 2068 wrote to memory of 3024	2068	cmd.exe	32
PID 2068 wrote to memory of 3024	2068	cmd.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\document3044011243.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\document3044011243.js" "C:\Users\Admin\AppData\Local\Temp\CU9UVR.bat" && "C:\Users\Admin\AppData\Local\Temp\CU9UVR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\system32\findstr.exe
    FinDSTr /V S8MG8U ""C:\Users\Admin\AppData\Local\Temp\CU9UVR.bat""
    3⤵
    PID:2852
- - C:\Windows\system32\certutil.exe
    ceRtutiL -f -deCOdEHEX 6GU5S0 U7RWGI.dll
    3⤵
    PID:3016
- - C:\Windows\system32\rundll32.exe
    ruNdll32 U7RWGI.dll,f
    3⤵
    - Loads dropped DLL
    PID:3024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6GU5S0

Filesize
975KB

MD5
7e55b8e413793afc59ad0b63d9d07139

SHA1
767bbfc09ce3bbfb00a5973314b2ed62160adb4d

SHA256
bd95dfd3851b44fe2e94ee2b8692e97befb0ebd0898a1736caf1f9ae953bce64

SHA512
78e1be96020f75281bd3f9ff066dee84c66eac8daba7dd3626cac9992ee9e44aa9cd13a2e93344c702d01ff38e4b2e8dd7bdcfed7a28dca1abb25e46bcb54682

Download Submit
C:\Users\Admin\AppData\Local\Temp\CU9UVR.bat

Filesize
976KB

MD5
c7a0d6962c3a798b4d6603a41e9a8647

SHA1
7ab2a4088f1a66b33a7b02f40d255427e319afbc

SHA256
32d14ea85053943fb0d99b86ebad7a974d6afc460dfaeb57afa90a974f18da99

SHA512
5f59c33b9c765dc3cc874693b4598fd23a11d3d39501cf452810e71416d5164914bbfd63b95e9d556ecb317783d383b373518d367f2702ee16461c30717225b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CU9UVR.bat

Filesize
976KB

MD5
c7a0d6962c3a798b4d6603a41e9a8647

SHA1
7ab2a4088f1a66b33a7b02f40d255427e319afbc

SHA256
32d14ea85053943fb0d99b86ebad7a974d6afc460dfaeb57afa90a974f18da99

SHA512
5f59c33b9c765dc3cc874693b4598fd23a11d3d39501cf452810e71416d5164914bbfd63b95e9d556ecb317783d383b373518d367f2702ee16461c30717225b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\U7RWGI.dll

Filesize
325KB

MD5
fb336ab43aa1d1ab7c60595c49a04daf

SHA1
a565d84e86e3d4ce8dd809ab6f740550bf46757b

SHA256
34f497374a0af2d4d9714e2af401722d6ab62149cf097f447d7a3209e72d8f0e

SHA512
763e199347cbd926817f9d32531f6f9fa2016bf68b5ccb1f35456d7a5096d873dfd9b10999a954f0b8f6b19136e593e03733c9c0e89d99e9ccf058c6b90f4b0a

Download Submit
\Users\Admin\AppData\Local\Temp\U7RWGI.dll

Filesize
325KB

MD5
fb336ab43aa1d1ab7c60595c49a04daf

SHA1
a565d84e86e3d4ce8dd809ab6f740550bf46757b

SHA256
34f497374a0af2d4d9714e2af401722d6ab62149cf097f447d7a3209e72d8f0e

SHA512
763e199347cbd926817f9d32531f6f9fa2016bf68b5ccb1f35456d7a5096d873dfd9b10999a954f0b8f6b19136e593e03733c9c0e89d99e9ccf058c6b90f4b0a

Download Submit
\Users\Admin\AppData\Local\Temp\U7RWGI.dll

Filesize
325KB

MD5
fb336ab43aa1d1ab7c60595c49a04daf

SHA1
a565d84e86e3d4ce8dd809ab6f740550bf46757b

SHA256
34f497374a0af2d4d9714e2af401722d6ab62149cf097f447d7a3209e72d8f0e

SHA512
763e199347cbd926817f9d32531f6f9fa2016bf68b5ccb1f35456d7a5096d873dfd9b10999a954f0b8f6b19136e593e03733c9c0e89d99e9ccf058c6b90f4b0a

Download Submit
\Users\Admin\AppData\Local\Temp\U7RWGI.dll

Filesize
325KB

MD5
fb336ab43aa1d1ab7c60595c49a04daf

SHA1
a565d84e86e3d4ce8dd809ab6f740550bf46757b

SHA256
34f497374a0af2d4d9714e2af401722d6ab62149cf097f447d7a3209e72d8f0e

SHA512
763e199347cbd926817f9d32531f6f9fa2016bf68b5ccb1f35456d7a5096d873dfd9b10999a954f0b8f6b19136e593e03733c9c0e89d99e9ccf058c6b90f4b0a

Download Submit
\Users\Admin\AppData\Local\Temp\U7RWGI.dll

Filesize
325KB

MD5
fb336ab43aa1d1ab7c60595c49a04daf

SHA1
a565d84e86e3d4ce8dd809ab6f740550bf46757b

SHA256
34f497374a0af2d4d9714e2af401722d6ab62149cf097f447d7a3209e72d8f0e

SHA512
763e199347cbd926817f9d32531f6f9fa2016bf68b5ccb1f35456d7a5096d873dfd9b10999a954f0b8f6b19136e593e03733c9c0e89d99e9ccf058c6b90f4b0a

Download Submit
memory/3024-73-0x00000000001A0000-0x00000000001C1000-memory.dmp

Filesize
132KB

Download
memory/3024-74-0x00000000001A0000-0x00000000001C1000-memory.dmp

Filesize
132KB

Download
memory/3024-72-0x000000006D7C0000-0x000000006D819000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing