strela | 80c7906a7e228cb7612cb94ef9f25de02c8520a5c7ec983cc117fe5f75c11f1f

Analysis

max time kernel
315s
max time network
390s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21-07-2023 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDF152551386013601.js
Size

1.1MB
MD5

2401ec9ab6c8a2c5ebcfdd3542411ad6
SHA1

5f7eb86500f85f53cc1647db6b8571cfc044a115
SHA256

80c7906a7e228cb7612cb94ef9f25de02c8520a5c7ec983cc117fe5f75c11f1f
SHA512

02a2f8eb4640b7f0b67d2689a37fc587c6f2489d0f6a01f80ba632a3f41264a64cc2d05aca6e399d89b6674083f543cb994385c67c8eca030d8748ef01728873
SSDEEP

24576:AACtn8Kmt03FWjMjGsyZWuPFOLqCF/Hp2w8Qr/8Nhctk+gniMKlF7vc39gW:3N

Score

10^/10

strela stealer

Malware Config

Extracted

Family

strela

91.215.85.209

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 1 IoCs

pid	Process
380	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 1400	4896	wscript.exe	70
PID 4896 wrote to memory of 1400	4896	wscript.exe	70
PID 1400 wrote to memory of 3808	1400	cmd.exe	72
PID 1400 wrote to memory of 3808	1400	cmd.exe	72
PID 1400 wrote to memory of 4492	1400	cmd.exe	73
PID 1400 wrote to memory of 4492	1400	cmd.exe	73
PID 1400 wrote to memory of 380	1400	cmd.exe	74
PID 1400 wrote to memory of 380	1400	cmd.exe	74

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF152551386013601.js
1⤵
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF152551386013601.js" "C:\Users\Admin\AppData\Local\Temp\\dasjihejcghivsccuxzjlgydmyiujyybajpdkfvyotqelwyihp.bat" && "C:\Users\Admin\AppData\Local\Temp\\dasjihejcghivsccuxzjlgydmyiujyybajpdkfvyotqelwyihp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\findstr.exe
    findstr /V nstmepzyyvvpdvehydgghripesbrbamwixbxvicbkuwlsiceby ""C:\Users\Admin\AppData\Local\Temp\\dasjihejcghivsccuxzjlgydmyiujyybajpdkfvyotqelwyihp.bat""
    3⤵
    PID:3808
- - C:\Windows\system32\certutil.exe
    certutil -f -decode mspylzvhrjafeijdzzeocqdyfpshrzaqwainvoxzdoofedkvpr bmjblukalwjdjppvzhlrwyccchwlwkbxcrouzdyeklwzsqzbbz.dll
    3⤵
    PID:4492
- - C:\Windows\system32\rundll32.exe
    rundll32 bmjblukalwjdjppvzhlrwyccchwlwkbxcrouzdyeklwzsqzbbz.dll,x
    3⤵
    - Loads dropped DLL
    PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bmjblukalwjdjppvzhlrwyccchwlwkbxcrouzdyeklwzsqzbbz.dll

Filesize
820KB

MD5
88fc768f1e1c86650a267c4c54c14607

SHA1
627be98bb24119e11572d0746b31be03b72d1bff

SHA256
0ab2b87d8f6e4931d9ffadd9d61e3a5c62b121687e3a8ca9a9b248360bbeaad8

SHA512
78c896fcbb47ef84aab62a565ef0d147e68df6d0e3fccceb391d7770167dc51cbcb79ec097e546b740a64d552ba5697cc1ea2c8d5d3abe9b4a5f4ac81312ceee

Download Submit
C:\Users\Admin\AppData\Local\Temp\dasjihejcghivsccuxzjlgydmyiujyybajpdkfvyotqelwyihp.bat

Filesize
1.1MB

MD5
2401ec9ab6c8a2c5ebcfdd3542411ad6

SHA1
5f7eb86500f85f53cc1647db6b8571cfc044a115

SHA256
80c7906a7e228cb7612cb94ef9f25de02c8520a5c7ec983cc117fe5f75c11f1f

SHA512
02a2f8eb4640b7f0b67d2689a37fc587c6f2489d0f6a01f80ba632a3f41264a64cc2d05aca6e399d89b6674083f543cb994385c67c8eca030d8748ef01728873

Download Submit
C:\Users\Admin\AppData\Local\Temp\dasjihejcghivsccuxzjlgydmyiujyybajpdkfvyotqelwyihp.bat

Filesize
1.1MB

MD5
2401ec9ab6c8a2c5ebcfdd3542411ad6

SHA1
5f7eb86500f85f53cc1647db6b8571cfc044a115

SHA256
80c7906a7e228cb7612cb94ef9f25de02c8520a5c7ec983cc117fe5f75c11f1f

SHA512
02a2f8eb4640b7f0b67d2689a37fc587c6f2489d0f6a01f80ba632a3f41264a64cc2d05aca6e399d89b6674083f543cb994385c67c8eca030d8748ef01728873

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspylzvhrjafeijdzzeocqdyfpshrzaqwainvoxzdoofedkvpr

Filesize
1.1MB

MD5
b9970d0652e0ae78de4def9c6bcd3f69

SHA1
1c305f1db905de98dc67718700e8e63c3ec704da

SHA256
ff7bb09f545ca7a8f470275c6c4314d9cac95a6ca46ef42276dfef0be6213811

SHA512
2a77eb5d4bc88949df1d607c04e0c7e9f64b059d3090e82fd7c5c9d9aded4336b3c4450fd8465aa6ad2c20b53826b15aa40cfbccb8e6556d6c241fdc6ed08212

Download Submit
\Users\Admin\AppData\Local\Temp\bmjblukalwjdjppvzhlrwyccchwlwkbxcrouzdyeklwzsqzbbz.dll

Filesize
820KB

MD5
88fc768f1e1c86650a267c4c54c14607

SHA1
627be98bb24119e11572d0746b31be03b72d1bff

SHA256
0ab2b87d8f6e4931d9ffadd9d61e3a5c62b121687e3a8ca9a9b248360bbeaad8

SHA512
78c896fcbb47ef84aab62a565ef0d147e68df6d0e3fccceb391d7770167dc51cbcb79ec097e546b740a64d552ba5697cc1ea2c8d5d3abe9b4a5f4ac81312ceee

Download Submit
memory/380-163-0x000000006D7C0000-0x000000006D895000-memory.dmp

Filesize
852KB

Download
memory/380-164-0x000001CE2E160000-0x000001CE2E181000-memory.dmp

Filesize
132KB

Download