strela | 506a0f63c640aa0702a286847553b02d9cda218ffb2ff1f38bc017247c49fcba

Analysis

max time kernel
119s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05-09-2023 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Strela.js
Size

3.9MB
MD5

2c87dd2b3fc3d243a06bf947f4c7d7ac
SHA1

be2acdaee1128946a1eec5a449f8ed6f21e06759
SHA256

506a0f63c640aa0702a286847553b02d9cda218ffb2ff1f38bc017247c49fcba
SHA512

ae6daf7009ffdf429975cbeb9b4f539048ec9bad7e6184eeeeb39ee9ff04676f44df63a277515adb99b6a613f28f1f9a65e5390991f7f01b5adfaacfc1dc4b77
SSDEEP

24576:miLxXraB4Ze8MYp39KlgOS+j2SrM+2RpgGsIh0GYDDRV2GbnFEcmNIMHTXkE/71K:TLJne0zSzd2aU4Gl0lSXkEDblUbUW

Score

10^/10

strela stealer

Malware Config

Extracted

Family

strela

193.109.85.77

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2792 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

2792 regsvr32.exe

pid	process
2792	regsvr32.exe

pid	process
2792	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

wscript.execmd.exe

description	pid	process	target process
PID 2132 wrote to memory of 1452	2132	wscript.exe	cmd.exe
PID 2132 wrote to memory of 1452	2132	wscript.exe	cmd.exe
PID 2132 wrote to memory of 1452	2132	wscript.exe	cmd.exe
PID 1452 wrote to memory of 2640	1452	cmd.exe	findstr.exe
PID 1452 wrote to memory of 2640	1452	cmd.exe	findstr.exe
PID 1452 wrote to memory of 2640	1452	cmd.exe	findstr.exe
PID 1452 wrote to memory of 2932	1452	cmd.exe	certutil.exe
PID 1452 wrote to memory of 2932	1452	cmd.exe	certutil.exe
PID 1452 wrote to memory of 2932	1452	cmd.exe	certutil.exe
PID 1452 wrote to memory of 2792	1452	cmd.exe	regsvr32.exe
PID 1452 wrote to memory of 2792	1452	cmd.exe	regsvr32.exe
PID 1452 wrote to memory of 2792	1452	cmd.exe	regsvr32.exe
PID 1452 wrote to memory of 2792	1452	cmd.exe	regsvr32.exe
PID 1452 wrote to memory of 2792	1452	cmd.exe	regsvr32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Strela.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\Strela.js" "C:\Users\Admin\AppData\Local\Temp\\fetchfrogs.bat" && "C:\Users\Admin\AppData\Local\Temp\\fetchfrogs.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\system32\findstr.exe
findstr /V fretfulbored ""C:\Users\Admin\AppData\Local\Temp\\fetchfrogs.bat""
3⤵
PID:2640

C:\Windows\system32\certutil.exe
certutil -f -decode bedroomsalty stationstep.dll
3⤵
PID:2932

C:\Windows\system32\regsvr32.exe
regsvr32 stationstep.dll
3⤵
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2792

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bedroomsalty
Filesize
3.8MB

MD5
e8de3c21be4f6092503dba69d977a00c

SHA1
5c9a0e5a437f1555e2b636e24ae6c1e26255d8a6

SHA256
6fe373e7dd6dd01950f617043c2f96cc0d1e10dcc9051d0db0f5641610098b0b

SHA512
3b3ba1be0451e055a7684f346dedcad0f2b61e22f946a671f5aa37aebedd6e411b10eb1636154d4c75cec428db7aaf30f0a24b93a816a46aded837c2eedf52c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fetchfrogs.bat
Filesize
3.9MB

MD5
2c87dd2b3fc3d243a06bf947f4c7d7ac

SHA1
be2acdaee1128946a1eec5a449f8ed6f21e06759

SHA256
506a0f63c640aa0702a286847553b02d9cda218ffb2ff1f38bc017247c49fcba

SHA512
ae6daf7009ffdf429975cbeb9b4f539048ec9bad7e6184eeeeb39ee9ff04676f44df63a277515adb99b6a613f28f1f9a65e5390991f7f01b5adfaacfc1dc4b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\fetchfrogs.bat
Filesize
3.9MB

MD5
2c87dd2b3fc3d243a06bf947f4c7d7ac

SHA1
be2acdaee1128946a1eec5a449f8ed6f21e06759

SHA256
506a0f63c640aa0702a286847553b02d9cda218ffb2ff1f38bc017247c49fcba

SHA512
ae6daf7009ffdf429975cbeb9b4f539048ec9bad7e6184eeeeb39ee9ff04676f44df63a277515adb99b6a613f28f1f9a65e5390991f7f01b5adfaacfc1dc4b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\stationstep.dll
Filesize
2.8MB

MD5
1ab0f628aa9c218d87af4a836ca48d28

SHA1
ba54f3344447217be60bfa62bfe7a610abb89091

SHA256
f76a1cf204203e39633989fa428ab9c9b29a93276cc98c3df177d6aef34f0988

SHA512
f723735d4cf16bc78596d529a2c951014306ba509da1a46393527f3a30222b718ac19fd93dd6e6274249722609fb784fa10d1cb4ff66e0c68682ab015196d0e7

Download Submit
\Users\Admin\AppData\Local\Temp\stationstep.dll
Filesize
2.8MB

MD5
1ab0f628aa9c218d87af4a836ca48d28

SHA1
ba54f3344447217be60bfa62bfe7a610abb89091

SHA256
f76a1cf204203e39633989fa428ab9c9b29a93276cc98c3df177d6aef34f0988

SHA512
f723735d4cf16bc78596d529a2c951014306ba509da1a46393527f3a30222b718ac19fd93dd6e6274249722609fb784fa10d1cb4ff66e0c68682ab015196d0e7

Download Submit
memory/2792-5648-0x0000000000140000-0x0000000000161000-memory.dmp

Filesize
132KB

Download
memory/2792-5647-0x000000006D7C0000-0x000000006DA9E000-memory.dmp

Filesize
2.9MB

Download