strela | 87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff_JC.js
Size

4.0MB
MD5

7d7c79af0ea8ddd5ba251d0f9a34667e
SHA1

09a1563b1cc9b092cb0027d06d633d8273a28ed6
SHA256

87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff
SHA512

2fbdc59181d61cca4a513c4a94fd29edb59b2d11a763040b75fd837759e3767f0d483211a2b8c0f3dfee797f3cb651374d413afe80d88a7761db27f8060685b7
SSDEEP

24576:7kYjISU4NCYkYuEhMml0/WoLScl7ADF+ToUwueEYV+WeEzJooRBADu/E1bpfFUN6:7ktRp4xutEmUeUbUJ

Score

10^/10

strela stealer

Malware Config

Extracted

Family

strela

193.109.85.77

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 1 IoCs

pid	Process
2720	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 3028	2892	wscript.exe	83
PID 2892 wrote to memory of 3028	2892	wscript.exe	83
PID 3028 wrote to memory of 1468	3028	cmd.exe	93
PID 3028 wrote to memory of 1468	3028	cmd.exe	93
PID 3028 wrote to memory of 4644	3028	cmd.exe	94
PID 3028 wrote to memory of 4644	3028	cmd.exe	94
PID 3028 wrote to memory of 2720	3028	cmd.exe	95
PID 3028 wrote to memory of 2720	3028	cmd.exe	95

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff_JC.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff_JC.js" "C:\Users\Admin\AppData\Local\Temp\\ignorepumped.bat" && "C:\Users\Admin\AppData\Local\Temp\\ignorepumped.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\system32\findstr.exe
    findstr /V stupidtwig ""C:\Users\Admin\AppData\Local\Temp\\ignorepumped.bat""
    3⤵
    PID:1468
- - C:\Windows\system32\certutil.exe
    certutil -f -decode drumcannon orangesterrific.dll
    3⤵
    PID:4644
- - C:\Windows\system32\regsvr32.exe
    regsvr32 orangesterrific.dll
    3⤵
    - Loads dropped DLL
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drumcannon

Filesize
3.9MB

MD5
1c862514b99906b31423fda52012ffca

SHA1
9e23e205905340f09c2a326bc77e1ba90d4b4726

SHA256
1208725ada1a861469e119838ed62406a53c53c5604a1888fbfe440a9ee3af0b

SHA512
3fb0d49f4f4f61886d8ad8b0c7ccb6e2eaa9471d3c54c4f9bacb5c1dfe4e6b6ac8506295a95621e51adbbf699caaa40a63ad5133fd600b8353e4328cf0935a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ignorepumped.bat

Filesize
4.0MB

MD5
7d7c79af0ea8ddd5ba251d0f9a34667e

SHA1
09a1563b1cc9b092cb0027d06d633d8273a28ed6

SHA256
87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff

SHA512
2fbdc59181d61cca4a513c4a94fd29edb59b2d11a763040b75fd837759e3767f0d483211a2b8c0f3dfee797f3cb651374d413afe80d88a7761db27f8060685b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ignorepumped.bat

Filesize
4.0MB

MD5
7d7c79af0ea8ddd5ba251d0f9a34667e

SHA1
09a1563b1cc9b092cb0027d06d633d8273a28ed6

SHA256
87f3de379c3c126d924791f31cec59d4eb5cbe5b63f1a307b11890dafaf433ff

SHA512
2fbdc59181d61cca4a513c4a94fd29edb59b2d11a763040b75fd837759e3767f0d483211a2b8c0f3dfee797f3cb651374d413afe80d88a7761db27f8060685b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\orangesterrific.dll

Filesize
2.9MB

MD5
ae1aa4fc8f4ca32ecfefc600206828ea

SHA1
5dfe6e3921a0a2d1c21971e15ad06b6af35570d2

SHA256
5247b5fa5f5539aa7eb0838a5589ec13f9e434263de47973fdad26fc28a3698e

SHA512
de3439ee485d62c25d74e5ef4b077b27fb58c952c1c898ebe99c465f34de7c3560ff28d554449ed6a50bdc6064e5bb17b6297049c919d565fab73eb01a67e2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\orangesterrific.dll

Filesize
2.9MB

MD5
ae1aa4fc8f4ca32ecfefc600206828ea

SHA1
5dfe6e3921a0a2d1c21971e15ad06b6af35570d2

SHA256
5247b5fa5f5539aa7eb0838a5589ec13f9e434263de47973fdad26fc28a3698e

SHA512
de3439ee485d62c25d74e5ef4b077b27fb58c952c1c898ebe99c465f34de7c3560ff28d554449ed6a50bdc6064e5bb17b6297049c919d565fab73eb01a67e2db

Download Submit
memory/2720-4803-0x00000000010B0000-0x00000000010D1000-memory.dmp

Filesize
132KB

Download
memory/2720-4804-0x000000006D7C0000-0x000000006DAB8000-memory.dmp

Filesize
3.0MB

Download