strela | e632c7853782a7d4251f761a03037ca33e2421b2bec28d4afefb8ae516460c88

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

½ļ/20.js
Size

982KB
MD5

17f46833b1bc68b633d87096e2554211
SHA1

caec4514c2ffeeb990f060f7d23939b3fae3616f
SHA256

d01f48387858ae24bd9cb56464a3583d4c63b3ff1429c9dd78b1b5b6fc1ac969
SHA512

bdcf3ee58572c2c08cb4d4ebe55113c48b126b97d143d153699f79f6d64e28bf52a848b5e6c938af3e11400ebc80995e8805829e14dda4da0c8731245ca2054f
SSDEEP

24576:4whGo0174uWj+JO459UceUOPwHuVUVJHBcF1+kNXoIv9kB94LLb+J:e

Score

10^/10

strela spyware stealer

Malware Config

Extracted

Family

strela

91.215.85.209

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 4 IoCs

pid	Process
2872	rundll32.exe
2872	rundll32.exe
2872	rundll32.exe
2872	rundll32.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2656	1916	wscript.exe	28
PID 1916 wrote to memory of 2656	1916	wscript.exe	28
PID 1916 wrote to memory of 2656	1916	wscript.exe	28
PID 2656 wrote to memory of 2668	2656	cmd.exe	30
PID 2656 wrote to memory of 2668	2656	cmd.exe	30
PID 2656 wrote to memory of 2668	2656	cmd.exe	30
PID 2656 wrote to memory of 2688	2656	cmd.exe	31
PID 2656 wrote to memory of 2688	2656	cmd.exe	31
PID 2656 wrote to memory of 2688	2656	cmd.exe	31
PID 2656 wrote to memory of 2872	2656	cmd.exe	32
PID 2656 wrote to memory of 2872	2656	cmd.exe	32
PID 2656 wrote to memory of 2872	2656	cmd.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\½ļ\20.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\½ļ\20.js" "C:\Users\Admin\AppData\Local\TempP1QG0Z.bat" && "C:\Users\Admin\AppData\Local\TempP1QG0Z.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\findstr.exe
    findstr /V FYR0TO ""C:\Users\Admin\AppData\Local\TempP1QG0Z.bat""
    3⤵
    PID:2668
- - C:\Windows\system32\certutil.exe
    certutil -f -decodehex 044NGP O42NRC.dll
    3⤵
    PID:2688
- - C:\Windows\system32\rundll32.exe
    rundll32 O42NRC.dll,f
    3⤵
    - Loads dropped DLL
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempP1QG0Z.bat

Filesize
982KB

MD5
17f46833b1bc68b633d87096e2554211

SHA1
caec4514c2ffeeb990f060f7d23939b3fae3616f

SHA256
d01f48387858ae24bd9cb56464a3583d4c63b3ff1429c9dd78b1b5b6fc1ac969

SHA512
bdcf3ee58572c2c08cb4d4ebe55113c48b126b97d143d153699f79f6d64e28bf52a848b5e6c938af3e11400ebc80995e8805829e14dda4da0c8731245ca2054f

Download Submit
C:\Users\Admin\AppData\Local\TempP1QG0Z.bat

Filesize
982KB

MD5
17f46833b1bc68b633d87096e2554211

SHA1
caec4514c2ffeeb990f060f7d23939b3fae3616f

SHA256
d01f48387858ae24bd9cb56464a3583d4c63b3ff1429c9dd78b1b5b6fc1ac969

SHA512
bdcf3ee58572c2c08cb4d4ebe55113c48b126b97d143d153699f79f6d64e28bf52a848b5e6c938af3e11400ebc80995e8805829e14dda4da0c8731245ca2054f

Download Submit
C:\Users\Admin\AppData\Local\Temp\044NGP

Filesize
981KB

MD5
7432042a84d254f5fdd894c2ba8b9e31

SHA1
6770385dc62dea6c00e486a85d587657282b10e6

SHA256
7c90cc82c8ac916885d4916de7cdff3e20e10d2ef643c5787d7e9637ad517518

SHA512
5d0c0ace5903f1d2eca67db84a0cf260e37391baa57b64e68d3968e530aed67d7f1c3f6ca7320c6a4c1c647b277c8f2e60232882cb3347a4d73507a77aa01098

Download Submit
C:\Users\Admin\AppData\Local\Temp\O42NRC.dll

Filesize
327KB

MD5
3fd89b48eea601e19ce958333d617f7a

SHA1
0bd0068492d45cd1be3f023122f52b8f453df4da

SHA256
ceb73e9ef84bcdf0538ae8084c482fd21d7501672fb95010e424c9af5596bf6d

SHA512
71a6aba16b53b6e61192708172a572afef61205289e506ef8d026e584424f10a976361ca8a438384438696d5ba756ad3b66d7150bef2125a3691009b55f198fc

Download Submit
\Users\Admin\AppData\Local\Temp\O42NRC.dll

Filesize
327KB

MD5
3fd89b48eea601e19ce958333d617f7a

SHA1
0bd0068492d45cd1be3f023122f52b8f453df4da

SHA256
ceb73e9ef84bcdf0538ae8084c482fd21d7501672fb95010e424c9af5596bf6d

SHA512
71a6aba16b53b6e61192708172a572afef61205289e506ef8d026e584424f10a976361ca8a438384438696d5ba756ad3b66d7150bef2125a3691009b55f198fc

Download Submit
\Users\Admin\AppData\Local\Temp\O42NRC.dll

Filesize
327KB

MD5
3fd89b48eea601e19ce958333d617f7a

SHA1
0bd0068492d45cd1be3f023122f52b8f453df4da

SHA256
ceb73e9ef84bcdf0538ae8084c482fd21d7501672fb95010e424c9af5596bf6d

SHA512
71a6aba16b53b6e61192708172a572afef61205289e506ef8d026e584424f10a976361ca8a438384438696d5ba756ad3b66d7150bef2125a3691009b55f198fc

Download Submit
\Users\Admin\AppData\Local\Temp\O42NRC.dll

Filesize
327KB

MD5
3fd89b48eea601e19ce958333d617f7a

SHA1
0bd0068492d45cd1be3f023122f52b8f453df4da

SHA256
ceb73e9ef84bcdf0538ae8084c482fd21d7501672fb95010e424c9af5596bf6d

SHA512
71a6aba16b53b6e61192708172a572afef61205289e506ef8d026e584424f10a976361ca8a438384438696d5ba756ad3b66d7150bef2125a3691009b55f198fc

Download Submit
\Users\Admin\AppData\Local\Temp\O42NRC.dll

Filesize
327KB

MD5
3fd89b48eea601e19ce958333d617f7a

SHA1
0bd0068492d45cd1be3f023122f52b8f453df4da

SHA256
ceb73e9ef84bcdf0538ae8084c482fd21d7501672fb95010e424c9af5596bf6d

SHA512
71a6aba16b53b6e61192708172a572afef61205289e506ef8d026e584424f10a976361ca8a438384438696d5ba756ad3b66d7150bef2125a3691009b55f198fc

Download Submit
memory/2872-18-0x0000000000100000-0x0000000000121000-memory.dmp

Filesize
132KB

Download
memory/2872-19-0x000000006D7C0000-0x000000006D81A000-memory.dmp

Filesize
360KB

Download
memory/2872-20-0x0000000000100000-0x0000000000121000-memory.dmp

Filesize
132KB

Download