Overview

overview

10

Static

static

1

½�...�/1.js

windows7-x64

10

½�...�/1.js

windows10-2004-x64

10

½�.../10.js

windows7-x64

8

½�.../10.js

windows10-2004-x64

8

½�.../11.js

windows7-x64

3

½�.../11.js

windows10-2004-x64

8

½�.../12.js

windows7-x64

8

½�.../12.js

windows10-2004-x64

8

½�.../13.js

windows7-x64

3

½�.../13.js

windows10-2004-x64

8

½�.../14.js

windows7-x64

3

½�.../14.js

windows10-2004-x64

8

½�.../15.js

windows7-x64

10

½�.../15.js

windows10-2004-x64

10

½�.../16.js

windows7-x64

10

½�.../16.js

windows10-2004-x64

10

½�.../17.js

windows7-x64

3

½�.../17.js

windows10-2004-x64

7

½�.../18.js

windows7-x64

3

½�.../18.js

windows10-2004-x64

7

½�.../19.js

windows7-x64

3

½�.../19.js

windows10-2004-x64

8

½�...�/2.js

windows7-x64

10

½�...�/2.js

windows10-2004-x64

10

½�.../20.js

windows7-x64

10

½�.../20.js

windows10-2004-x64

10

½�.../21.js

windows7-x64

1

½�.../21.js

windows10-2004-x64

1

½�.../22.js

windows7-x64

10

½�.../22.js

windows10-2004-x64

10

½�.../23.js

windows7-x64

3

½�.../23.js

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e632c7853782a7d4251f761a03037ca33e2421b2bec28d4afefb8ae516460c88

  • Size

    1.5MB

  • Sample

    231014-eh2fyshb77

  • MD5

    a9ac31d650c74d482263be9bd24b3a27

  • SHA1

    d06b913e906277d8f818641660a26beada4b310f

  • SHA256

    e632c7853782a7d4251f761a03037ca33e2421b2bec28d4afefb8ae516460c88

  • SHA512

    36789dc0795f82aabf56bf45c037ee8a92cbcf50f5d23c808611a7329236cdb699453121fc0875e86f19ed2c8a883211b31623c81734661ff933591386d268b1

  • SSDEEP

    24576:/l/6hSRaDfj0NRCLRyADOJUuBKyOetHnvjneCtP8C8BB5Le4IVs/v6e2:/QeaD5LRnD4KaN7nXtP8XZqKT2

Score
10/10
strelavjw0rmevasionpersistencespywarestealertrojanworm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pipecoasia.com/f1.ps1

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://bikexiner.lotieneconisiore.com/file1.ps1

Extracted

Language
ps1
Source
URLs
exe.dropper

https://awaisdanish.com/NnRU/A9H1Fe
exe.dropper

https://engvida.com.br/rLm/NGmIi5P3XiL
exe.dropper

https://ubmhaiti.org/thQ6L/mXnm4i
exe.dropper

https://edsenezaluminum.com/OPG/DUrpztqwlD
exe.dropper

https://yellowhatglobal.com/G1RW/sGxfFVZ7
exe.dropper

https://availablecleaner.com/whgio/aYZqmR

Extracted

Family

strela

C2

91.215.85.209

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1bDMmMiZveQVwS9Ni4mQLsBYrsYXm_mY9

Targets

    • Target

      ½ļ/1.js

    • Size

      45KB

    • MD5

      2b4fd5e86969e9a8b56ce60175c15866

    • SHA1

      0e6890d6be1462aa5576a00ddaac640214e70256

    • SHA256

      0075ad3afcd0768928f57844818f6c0765d84d358415075f047346ec119242b0

    • SHA512

      7769908e20121e3e50fea394c16497a99ceae2313af6e7c8bd9952bd8ea8bf0a71aba1fbd47f1462281c91b0db7aa21896413660069b8e413ea8cd65f925f4db

    • SSDEEP

      768:NZLlAbEuwYu+sN8Ra/4Rm9yLudr3i+ngm6rEZC0Sao4:C4uoNcawo9sUr3i+ngyC0Saj

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      ½ļ/10.js

    • Size

      108KB

    • MD5

      7cc6b701596efd1d0a217a207d5f7f43

    • SHA1

      66e2387f2a2e327f3736ead9c3590e8cab5c2cc0

    • SHA256

      ce83f65ece1383a8d652d9baef2abd6132d6cf92811c26de38618ef87ea26966

    • SHA512

      394f22699828126d395f40d7c5103033ae3782ca23fe0a6f6e0439b520d276acdba8c48576f12ecc6500f534b796f670b8e61e06c079ff9b41e92e8dad6e6fb6

    • SSDEEP

      1536:l7jA8yJ7PTM51fIPnPl1JPGfI8y1bTM51fIyhlDblipVbliDGGWh1d8TM51fIVTl:P

    Score
    8/10

    • Blocklisted process makes network request

    behavioral3behavioral4

    • Target

      ½ļ/11.js

    • Size

      366KB

    • MD5

      102c38ddb3bc1cae7fbf642676d7b94b

    • SHA1

      894d9bf093eebe44c0ce219d22055ed7ab965453

    • SHA256

      cea0787fe709eb7bd1f4572d915f64c70f3fb2d0467373885c3f452c7b7064f7

    • SHA512

      fb08b0171456e7084979882794347c8dd9aece92c6d472866de9d4f3ff89e270753d20699bb970fa43299c049be142a4511f51058fdad49e4aabe02fd6a5cc58

    • SSDEEP

      6144:bSfr0dh2tgcH6YTkM0cNRcpZwg/EBQ+8N/ygD1pRbse+N5odTxV/hS:bSfrSh2tgcH6YTkMXRcpZwg/QQ+I/ygw

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5behavioral6

    • Target

      ½ļ/12.js

    • Size

      49KB

    • MD5

      25e2ff9c9ce6424e9a0972bfdca5a912

    • SHA1

      47632a09766f36e7065048d4ace05ea8d1d31b74

    • SHA256

      cecc630c0fef9b4f1468c6a7b968733602aa5df667f894011559d691441b881a

    • SHA512

      41bb1e279ddf3bfc7a8414b73ce82fb3bd78b13606f9a91093c6caae075ba67424337970e58fddc8c3c13a92210c33a3190c9f160e5c67f1446009c8385fd174

    • SSDEEP

      768:RfUYlS5Tp94WsZWgU1ho9WF5hOBK4I0SS4nlDiOq:9r8T89k1+chOxaiF

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral7behavioral8

    • Target

      ½ļ/13.js

    • Size

      307KB

    • MD5

      bff087dbd3c758e3522d1009fbba930e

    • SHA1

      1adba7d0791432bec4cb3776204ee597b3813180

    • SHA256

      cf37631fed4503770fc0834de0f9305b79c87cdf5507badb48a1112c49778a2f

    • SHA512

      1cf248393581f3b62b5a796d6fd50fd3a12eb480221ab8f74d84f03d323722a869b55e6bcfd15183066d1fdadc8df54db15c2dec086130aae4b174e8c611e5a1

    • SSDEEP

      3072:zuZB3jhBc61zKPcuV0eYMrmrFPhOdDIu8xgCXFpBBQ65egF2Kf8kqyjxLEY3wQia:mph5uV0XFPhqDIjgcbBT5egFFlTxLiBa

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral10behavioral9

    • Target

      ½ļ/14.js

    • Size

      195KB

    • MD5

      14b73cdada934945bc57b7fccb4f5f74

    • SHA1

      fb6d32a46005109291311cc10290c1cc2c4079cd

    • SHA256

      4ecdf46b778a50a3e8b35bd5d6c24b73e256534bb0be11394b0bdf362ada6db7

    • SHA512

      150b9acea13f0a1a92cb0d72b906b70eabbdf465cdad402eb732ddab22689f1e2eef07f99d564b1b811baa4a39b74ac4f0ddb5fc9028b84140a6155bc9c52317

    • SSDEEP

      3072:zXb3mH3P3Swz8H4mRtOx2DQaeNL6TDxIjo:zXb3mHvZIm2DKwWo

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral11behavioral12

    • Target

      ½ļ/15.js

    • Size

      31KB

    • MD5

      f3df9c96c3f90fb7bf5ffb9320820582

    • SHA1

      0b7df9e161f222d97ea3f1d883905b9e7a9cdb8a

    • SHA256

      13b0a2053f919fed877fb4ecb4cae691265456d59d2b871350512378fc847eb1

    • SHA512

      9637e6c478d20c2837004d16e4c5f0643433cddc01f54a42bdedbbbcb8132bdcceb7327e5f8b816819f929336683f638189c7b263fb91847bda279f7966c0c94

    • SSDEEP

      384:cEuWtagf971+6eCbrsBc3hlK5M1j2JBvlg/UjubUYDFQJ9W6qBwkosZjN:cCNA6etc3kGClWpbpx4W6Mwkh

    Score
    10/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral13behavioral14

    • Target

      ½ļ/16.js

    • Size

      32KB

    • MD5

      1b0eaa2c2511d5c5bf2fff542b172a49

    • SHA1

      bce5600d8e4bb7353b67f52a388e56063fd1ae85

    • SHA256

      2d16b8541eb251e09be8589e1d140a14f8392cc055d3b15936edcddad91b5923

    • SHA512

      e2e4ac0468a3637bdcb2598444759856f547624e07a87837ed501199947dbf1435e2fef60f66d182c72159b5a06395cb5d39411b5df9f7c3a55c2c40a8fa7511

    • SSDEEP

      384:IsDLhfkGwaE6EIWNIalL+W9zCdrnQfF+M5WHZX8thvrtVOETBFtXBRo3yhuiUhR0:XMhIzWOzQfFb5q8hfjWouiwRoz2y

    Score
    10/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral15behavioral16

    • Target

      ½ļ/17.js

    • Size

      1KB

    • MD5

      840422981206fe204ad674b563497eee

    • SHA1

      fbadcc5fa1e489d965591d769da3bf7039fc5b7f

    • SHA256

      76522e1121f296222f3a9c9913638e5e6e9ab4be9206fc86ed32c1827b44b689

    • SHA512

      8cc95a62d66b7afcb8f402b4603773a3d3b877cdbf0c07492f75cc3b5bfc6e5cb91aa0997509b0e939a187ad8037d766ba23a4c3758da94a31940a4fc348d9ee

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral17behavioral18

    • Target

      ½ļ/18.js

    • Size

      342KB

    • MD5

      dba952c6b2d44a17e9a1843989393e08

    • SHA1

      c1030557dae9544507fbaa9969804efaa6fb252d

    • SHA256

      cf5295f7c653e106bcf8367feb1daa26144f94e7721f0840d2c61f0ec7bd33c4

    • SHA512

      294d2c256fee717eaca964c7cff08ce34f6beab322389721ebe361aee3141c8bc5522896f47a684be60c4df94d1e20d33e200ca0da4d845a50b09c527ee6f388

    • SSDEEP

      6144:bcFYID3OLgu44c/3F1amoAk5MuXvCG8YtnZ5936:fIS1xb2

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral19behavioral20

    • Target

      ½ļ/19.js

    • Size

      350KB

    • MD5

      3b4d15827663ca60cc4d5da20f1f0859

    • SHA1

      dc501622741ad802ecd77400c6d7f1ffc3aefe1f

    • SHA256

      cf8bc1bbbf24b2b6024ac626ad92ac3a48f55307d7ac30029242f0c0cb1fa018

    • SHA512

      90a47e5e96b9fc5fed89c113d544dad67eb6e23496128bc9d1e9f343ad58c640995f4a874006f469d1c78d91a6a8224b70c5c7b5e099c34ae9bad464e5afddc0

    • SSDEEP

      6144:bSfr0dh2tgcH6YTkM0cNRcpZwg/EBQ+8N/ygD1pRbiKUE1XHo9TI2wWJyOm03UhW:bSfrSh2tgcH6YTkMXRcpZwg/QQ+I/ygM

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral21behavioral22

    • Target

      ½ļ/2.js

    • Size

      66KB

    • MD5

      6527678be6343fa9d34d4fe551e801a3

    • SHA1

      fac12da56f624416b6a58cf560c8f4ed36761fdb

    • SHA256

      04846a8b6ed6297020b43324bdeb1ef6e48505678248158c11426709eb94e58d

    • SHA512

      f38439c8f5997ed438de8d6fb28dada9a479dfd7e093410e26f3d835b09eca2ab2e2e7261ba5b4494db350e3b4816345e5130becab24ff0d0a6b00cf9106e731

    • SSDEEP

      768:N1VUGGv8F/dC6f6vcllMmxBGIvW/JtyYVLYOhnuOljz8/bKiVeOqaUtFO9nscBU:Uv8F/8lZVLb8X0OsiZU

    Score
    10/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral23behavioral24

    • Target

      ½ļ/20.js

    • Size

      982KB

    • MD5

      17f46833b1bc68b633d87096e2554211

    • SHA1

      caec4514c2ffeeb990f060f7d23939b3fae3616f

    • SHA256

      d01f48387858ae24bd9cb56464a3583d4c63b3ff1429c9dd78b1b5b6fc1ac969

    • SHA512

      bdcf3ee58572c2c08cb4d4ebe55113c48b126b97d143d153699f79f6d64e28bf52a848b5e6c938af3e11400ebc80995e8805829e14dda4da0c8731245ca2054f

    • SSDEEP

      24576:4whGo0174uWj+JO459UceUOPwHuVUVJHBcF1+kNXoIv9kB94LLb+J:e

    Score
    10/10
    strelaspywarestealer

    • Strela

      An info stealer targeting mail credentials first seen in late 2022.

      stealerstrela

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer
    behavioral25behavioral26

    • Target

      ½ļ/21.js

    • Size

      103KB

    • MD5

      e8b5043f0f263f7f66bdee786904268b

    • SHA1

      2d29989d7c335af3036c22da4fb433007765e382

    • SHA256

      d025ee7d2be36308e13ea988e3e15ab0e687972624ff88db059d472df7f46253

    • SHA512

      441023e7603f7e1dbd12767a07e724b394979d59657940647092cfe4a1e7f5cfd4e965e7a5aaa9a893ee3c5858b261573d6e44d1e7a4c358abc5f376200dd011

    • SSDEEP

      1536:ib5ox+pXEhuiykvoCcyGH33vI7n8GwKQ1JIYFJSJ9EYtgHHVCD2uU9tIsIfiQ:85o8tnQFBQnQWV4FPz

    Score
    1/10
    behavioral27behavioral28

    • Target

      ½ļ/22.js

    • Size

      8KB

    • MD5

      93713221ec3d756d1091b3a05d489ef8

    • SHA1

      1314a70eea9319ac8658b2047648c2093307fc5b

    • SHA256

      76e50a76cc320a29117e8466db4f31ba6f04510f07811536654e5316ace67b2d

    • SHA512

      b1128128bf3aae525694d5c6d9f1ecd009674beea5e3c1ded93078f8e5c3edc8b0372ae3e05c7bb383bab755d5d96caf8e215036f915338a20b10971694d683e

    • SSDEEP

      12:4XF1YOUhNJeyM121Evnps8Cnon1YVkVfNb5j0BbRZBbwGk3:4XFSZXe8EvpsheaOVfsBbRZBbC3

    Score
    10/10
    evasionpersistence

    • Modifies WinLogon for persistence

      persistence

    • Blocklisted process makes network request

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral29behavioral30

    • Target

      ½ļ/23.js

    • Size

      229KB

    • MD5

      99d584088d1c742f855f1345dcf541d0

    • SHA1

      2165512054a2d6d2bf77a4d04b04083a96d1d088

    • SHA256

      1cea0c4b1af9170b9ed2927f3b100d202bebd1b8e69ba1527336aaa6b2c0bffc

    • SHA512

      b4e1cda4c4e7715a66f15fb8ce2d14822c5b7a743d7a20120f38ae37d9a40d02b6a9505a499ba8306e72b36bb32ed86d495baa16d3ca66fc8db43deb051b0e83

    • SSDEEP

      3072:6CTJOlrO0OWTGhiY+oJZZ/kaI16SFpb1O3cg/leJ1ZKUiP/o/foUqhdIu91tu:6CTolrOHOGhiYF/6T1OV/9vu

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

BITS Jobs

1
T1197

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Defense Evasion

BITS Jobs

1
T1197

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
1/10

behavioral1

vjw0rmpersistencetrojanworm
Score
10/10

behavioral2

vjw0rmpersistencetrojanworm
Score
10/10

behavioral3

Score
8/10

behavioral4

Score
8/10

behavioral5

Score
3/10

behavioral6

Score
8/10

behavioral7

Score
8/10

behavioral8

Score
8/10

behavioral9

Score
3/10

behavioral10

Score
8/10

behavioral11

Score
3/10

behavioral12

Score
8/10

behavioral13

Score
10/10

behavioral14

Score
10/10

behavioral15

Score
10/10

behavioral16

Score
10/10

behavioral17

Score
3/10

behavioral18

Score
7/10

behavioral19

Score
3/10

behavioral20

Score
7/10

behavioral21

Score
3/10

behavioral22

Score
8/10

behavioral23

Score
10/10

behavioral24

Score
10/10

behavioral25

strelaspywarestealer
Score
10/10

behavioral26

strelaspywarestealer
Score
10/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
10/10

behavioral30

evasionpersistence
Score
10/10

behavioral31

Score
3/10

behavioral32

Score
8/10