strela | 87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-08-2023 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff_JC.js
Size

4.0MB
MD5

7d7c79af0ea8ddd5ba251d0f9a34667e
SHA1

09a1563b1cc9b092cb0027d06d633d8273a28ed6
SHA256

87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff
SHA512

2fbdc59181d61cca4a513c4a94fd29edb59b2d11a763040b75fd837759e3767f0d483211a2b8c0f3dfee797f3cb651374d413afe80d88a7761db27f8060685b7
SSDEEP

24576:7kYjISU4NCYkYuEhMml0/WoLScl7ADF+ToUwueEYV+WeEzJooRBADu/E1bpfFUN6:7ktRp4xutEmUeUbUJ

Score

10^/10

strela stealer

Malware Config

Extracted

Family

strela

193.109.85.77

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2396 regsvr32.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

2396 regsvr32.exe

pid	process
2396	regsvr32.exe

pid	process
2396	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

wscript.execmd.exe

description	pid	process	target process
PID 3008 wrote to memory of 2820	3008	wscript.exe	cmd.exe
PID 3008 wrote to memory of 2820	3008	wscript.exe	cmd.exe
PID 3008 wrote to memory of 2820	3008	wscript.exe	cmd.exe
PID 2820 wrote to memory of 2760	2820	cmd.exe	findstr.exe
PID 2820 wrote to memory of 2760	2820	cmd.exe	findstr.exe
PID 2820 wrote to memory of 2760	2820	cmd.exe	findstr.exe
PID 2820 wrote to memory of 2788	2820	cmd.exe	certutil.exe
PID 2820 wrote to memory of 2788	2820	cmd.exe	certutil.exe
PID 2820 wrote to memory of 2788	2820	cmd.exe	certutil.exe
PID 2820 wrote to memory of 2396	2820	cmd.exe	regsvr32.exe
PID 2820 wrote to memory of 2396	2820	cmd.exe	regsvr32.exe
PID 2820 wrote to memory of 2396	2820	cmd.exe	regsvr32.exe
PID 2820 wrote to memory of 2396	2820	cmd.exe	regsvr32.exe
PID 2820 wrote to memory of 2396	2820	cmd.exe	regsvr32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff_JC.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff_JC.js" "C:\Users\Admin\AppData\Local\Temp\\ignorepumped.bat" && "C:\Users\Admin\AppData\Local\Temp\\ignorepumped.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\system32\findstr.exe
findstr /V stupidtwig ""C:\Users\Admin\AppData\Local\Temp\\ignorepumped.bat""
3⤵
PID:2760

C:\Windows\system32\certutil.exe
certutil -f -decode drumcannon orangesterrific.dll
3⤵
PID:2788

C:\Windows\system32\regsvr32.exe
regsvr32 orangesterrific.dll
3⤵
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2396

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drumcannon
Filesize
3.9MB

MD5
1c862514b99906b31423fda52012ffca

SHA1
9e23e205905340f09c2a326bc77e1ba90d4b4726

SHA256
1208725ada1a861469e119838ed62406a53c53c5604a1888fbfe440a9ee3af0b

SHA512
3fb0d49f4f4f61886d8ad8b0c7ccb6e2eaa9471d3c54c4f9bacb5c1dfe4e6b6ac8506295a95621e51adbbf699caaa40a63ad5133fd600b8353e4328cf0935a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ignorepumped.bat
Filesize
4.0MB

MD5
7d7c79af0ea8ddd5ba251d0f9a34667e

SHA1
09a1563b1cc9b092cb0027d06d633d8273a28ed6

SHA256
87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff

SHA512
2fbdc59181d61cca4a513c4a94fd29edb59b2d11a763040b75fd837759e3767f0d483211a2b8c0f3dfee797f3cb651374d413afe80d88a7761db27f8060685b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ignorepumped.bat
Filesize
4.0MB

MD5
7d7c79af0ea8ddd5ba251d0f9a34667e

SHA1
09a1563b1cc9b092cb0027d06d633d8273a28ed6

SHA256
87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff

SHA512
2fbdc59181d61cca4a513c4a94fd29edb59b2d11a763040b75fd837759e3767f0d483211a2b8c0f3dfee797f3cb651374d413afe80d88a7761db27f8060685b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\orangesterrific.dll
Filesize
2.9MB

MD5
ae1aa4fc8f4ca32ecfefc600206828ea

SHA1
5dfe6e3921a0a2d1c21971e15ad06b6af35570d2

SHA256
5247b5fa5f5539aa7eb0838a5589ec13f9e434263de47973fdad26fc28a3698e

SHA512
de3439ee485d62c25d74e5ef4b077b27fb58c952c1c898ebe99c465f34de7c3560ff28d554449ed6a50bdc6064e5bb17b6297049c919d565fab73eb01a67e2db

Download Submit
\Users\Admin\AppData\Local\Temp\orangesterrific.dll
Filesize
2.9MB

MD5
ae1aa4fc8f4ca32ecfefc600206828ea

SHA1
5dfe6e3921a0a2d1c21971e15ad06b6af35570d2

SHA256
5247b5fa5f5539aa7eb0838a5589ec13f9e434263de47973fdad26fc28a3698e

SHA512
de3439ee485d62c25d74e5ef4b077b27fb58c952c1c898ebe99c465f34de7c3560ff28d554449ed6a50bdc6064e5bb17b6297049c919d565fab73eb01a67e2db

Download Submit
memory/2396-4804-0x000000006D7C0000-0x000000006DAB8000-memory.dmp

Filesize
3.0MB

Download
memory/2396-4803-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2396-4805-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads