strela | f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecaba

General

Target

f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecabajs_JC.js
Size

333KB
MD5

369fb2cf1cb2dcedd67f9340ce47b95c
SHA1

7074e9849057a5e4ae7debf7b9e9156ed38f654d
SHA256

f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecaba
SHA512

a7ef8924e368e4caf2d3200143f75754733eb2db087bffc8dea6a0b03fbe04fe5edecfa4268e169ca66b9570a218dc2d17da3c4533cdb1b849be50eeda74d55d
SSDEEP

6144:+k6LXBrAkN2wqug9iX3FOvcAiogR8WorQGGKdLdyNmkzSF9jiKAOtJfgwvs48WFM:+pAa2wqug9iHFOvcAiogR8WorQGGKdL0

Score

10^/10

strela stealer

Malware Config

Extracted

Family

strela

C2

91.215.85.209

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1504 rundll32.exe
1504 rundll32.exe
1504 rundll32.exe
1504 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1504	rundll32.exe
1504	rundll32.exe
1504	rundll32.exe
1504	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

wscript.execmd.exe

description	pid	process	target process
PID 1652 wrote to memory of 2828	1652	wscript.exe	cmd.exe
PID 1652 wrote to memory of 2828	1652	wscript.exe	cmd.exe
PID 1652 wrote to memory of 2828	1652	wscript.exe	cmd.exe
PID 2828 wrote to memory of 2456	2828	cmd.exe	findstr.exe
PID 2828 wrote to memory of 2456	2828	cmd.exe	findstr.exe
PID 2828 wrote to memory of 2456	2828	cmd.exe	findstr.exe
PID 2828 wrote to memory of 988	2828	cmd.exe	certutil.exe
PID 2828 wrote to memory of 988	2828	cmd.exe	certutil.exe
PID 2828 wrote to memory of 988	2828	cmd.exe	certutil.exe
PID 2828 wrote to memory of 1504	2828	cmd.exe	rundll32.exe
PID 2828 wrote to memory of 1504	2828	cmd.exe	rundll32.exe
PID 2828 wrote to memory of 1504	2828	cmd.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecabajs_JC.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecabajs_JC.js" "C:\Users\Admin\AppData\Local\Temp\\bwipu.bat" && "C:\Users\Admin\AppData\Local\Temp\\bwipu.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\findstr.exe
findstr /V eyyou ""C:\Users\Admin\AppData\Local\Temp\\bwipu.bat""
3⤵
PID:2456

C:\Windows\system32\certutil.exe
certutil -f -decode rpqyx vogac.dll
3⤵
PID:988

C:\Windows\system32\rundll32.exe
rundll32 vogac.dll,hello
3⤵
- Loads dropped DLL
PID:1504

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bwipu.bat
Filesize
333KB

MD5
369fb2cf1cb2dcedd67f9340ce47b95c

SHA1
7074e9849057a5e4ae7debf7b9e9156ed38f654d

SHA256
f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecaba

SHA512
a7ef8924e368e4caf2d3200143f75754733eb2db087bffc8dea6a0b03fbe04fe5edecfa4268e169ca66b9570a218dc2d17da3c4533cdb1b849be50eeda74d55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwipu.bat
Filesize
333KB

MD5
369fb2cf1cb2dcedd67f9340ce47b95c

SHA1
7074e9849057a5e4ae7debf7b9e9156ed38f654d

SHA256
f7014b7fb1932f07dada4879b5368afe144ca03df046a0573a0d5c4a5fbecaba

SHA512
a7ef8924e368e4caf2d3200143f75754733eb2db087bffc8dea6a0b03fbe04fe5edecfa4268e169ca66b9570a218dc2d17da3c4533cdb1b849be50eeda74d55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpqyx
Filesize
329KB

MD5
c67ef436f1675d2a87a76888fe132141

SHA1
ef553329ffe56e859072545bb9f259882d53bb54

SHA256
3ad57e95facaf9acd8356d0054e2821719b7962210cace57ed9a9146636c68b3

SHA512
a21e36d67e33916a67711b9693692ae868c52bfa6402f7fd18a64a268929c3de7e8bb8ad3bc5a547f3e0624a6dff8909bf28a03beda7a145566bc4b2888cd9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\vogac.dll
Filesize
244KB

MD5
0b338721a3e9bc698cf9c7a5b1cb75de

SHA1
fc0789a6c590b6c087f60058c3253affd211ec40

SHA256
0a8ad4d66d69b43cb3e88cab50556f6a98db1e03634da4d7ed0d6b8ced7cb0bd

SHA512
6f25c8c57bc99a1d741d79236a927257a868278dd55e8a3760935a2996912e9cb8cb4ebae586db449758d1b16fc9d4799211748c4dda769d6cbedc89e8c7353c

Download Submit
\Users\Admin\AppData\Local\Temp\vogac.dll
Filesize
244KB

MD5
0b338721a3e9bc698cf9c7a5b1cb75de

SHA1
fc0789a6c590b6c087f60058c3253affd211ec40

SHA256
0a8ad4d66d69b43cb3e88cab50556f6a98db1e03634da4d7ed0d6b8ced7cb0bd

SHA512
6f25c8c57bc99a1d741d79236a927257a868278dd55e8a3760935a2996912e9cb8cb4ebae586db449758d1b16fc9d4799211748c4dda769d6cbedc89e8c7353c

Download Submit
\Users\Admin\AppData\Local\Temp\vogac.dll
Filesize
244KB

MD5
0b338721a3e9bc698cf9c7a5b1cb75de

SHA1
fc0789a6c590b6c087f60058c3253affd211ec40

SHA256
0a8ad4d66d69b43cb3e88cab50556f6a98db1e03634da4d7ed0d6b8ced7cb0bd

SHA512
6f25c8c57bc99a1d741d79236a927257a868278dd55e8a3760935a2996912e9cb8cb4ebae586db449758d1b16fc9d4799211748c4dda769d6cbedc89e8c7353c

Download Submit
\Users\Admin\AppData\Local\Temp\vogac.dll
Filesize
244KB

MD5
0b338721a3e9bc698cf9c7a5b1cb75de

SHA1
fc0789a6c590b6c087f60058c3253affd211ec40

SHA256
0a8ad4d66d69b43cb3e88cab50556f6a98db1e03634da4d7ed0d6b8ced7cb0bd

SHA512
6f25c8c57bc99a1d741d79236a927257a868278dd55e8a3760935a2996912e9cb8cb4ebae586db449758d1b16fc9d4799211748c4dda769d6cbedc89e8c7353c

Download Submit
\Users\Admin\AppData\Local\Temp\vogac.dll
Filesize
244KB

MD5
0b338721a3e9bc698cf9c7a5b1cb75de

SHA1
fc0789a6c590b6c087f60058c3253affd211ec40

SHA256
0a8ad4d66d69b43cb3e88cab50556f6a98db1e03634da4d7ed0d6b8ced7cb0bd

SHA512
6f25c8c57bc99a1d741d79236a927257a868278dd55e8a3760935a2996912e9cb8cb4ebae586db449758d1b16fc9d4799211748c4dda769d6cbedc89e8c7353c

Download Submit
memory/1504-2351-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download
memory/1504-2352-0x000000006D7C0000-0x000000006D805000-memory.dmp

Filesize
276KB

Download
memory/1504-2353-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing