Malware Analysis Report

2025-04-14 07:59

Sample ID 231026-nwwbjabd6y
Target kroschke.zip
SHA256 12572cb7b186f8ab42369828e636bf1b14100b53e57569d82d690838c112a9e9
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12572cb7b186f8ab42369828e636bf1b14100b53e57569d82d690838c112a9e9

Threat Level: Known bad

The file kroschke.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 11:45

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-26 11:45

Reported

2023-10-26 11:48

Platform

win7-20231020-en

Max time kernel

119s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js" "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat" && "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat"

C:\Windows\system32\findstr.exe

findstr /V elitecow ""C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode absorbingworkable parsimoniousdidactic.dll

C:\Windows\system32\regsvr32.exe

regsvr32 parsimoniousdidactic.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\honorablebutter.bat

MD5 4ba46eb8264924a7c2b426f585d1c2c3
SHA1 8fbc96590228889f0b4436b24b0936f00dd7c3f3
SHA256 9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70
SHA512 3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986

C:\Users\Admin\AppData\Local\Temp\honorablebutter.bat

MD5 4ba46eb8264924a7c2b426f585d1c2c3
SHA1 8fbc96590228889f0b4436b24b0936f00dd7c3f3
SHA256 9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70
SHA512 3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986

C:\Users\Admin\AppData\Local\Temp\absorbingworkable

MD5 0ef6ff6531a33e068f6167c80d8a332a
SHA1 47eed73820d55ff30571ede08c12adf5900f87f4
SHA256 5e294ba7f829f0a3e8667c785c51594445b79d10aabde031f7dba0e5b8d8dcc4
SHA512 f44cd161c5e4699049af624ce30879ef3d54193020a9d8a11ebd3f06874b828cb4248732e2c0dea0832884e1864c1396cdbba6abf70e3bbbd01fe8ae01f0655b

C:\Users\Admin\AppData\Local\Temp\parsimoniousdidactic.dll

MD5 344de2ad2b2e208ff24808486f32a99c
SHA1 9802a9af76cb2816a995213da7fdd7d416b29e47
SHA256 2f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e
SHA512 f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a

\Users\Admin\AppData\Local\Temp\parsimoniousdidactic.dll

MD5 344de2ad2b2e208ff24808486f32a99c
SHA1 9802a9af76cb2816a995213da7fdd7d416b29e47
SHA256 2f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e
SHA512 f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a

memory/1488-9698-0x00000000001A0000-0x00000000001C1000-memory.dmp

memory/1488-9699-0x000000006D7C0000-0x000000006DB41000-memory.dmp

memory/1488-9700-0x00000000001A0000-0x00000000001C1000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-26 11:45

Reported

2023-10-26 11:48

Platform

win10v2004-20231023-en

Max time kernel

142s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 384 wrote to memory of 2068 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 384 wrote to memory of 2068 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2068 wrote to memory of 2720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2068 wrote to memory of 3920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2068 wrote to memory of 3920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2068 wrote to memory of 4120 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2068 wrote to memory of 4120 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\FACTURA_83122657.js" "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat" && "C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat"

C:\Windows\system32\findstr.exe

findstr /V elitecow ""C:\Users\Admin\AppData\Local\Temp\\honorablebutter.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode absorbingworkable parsimoniousdidactic.dll

C:\Windows\system32\regsvr32.exe

regsvr32 parsimoniousdidactic.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\honorablebutter.bat

MD5 4ba46eb8264924a7c2b426f585d1c2c3
SHA1 8fbc96590228889f0b4436b24b0936f00dd7c3f3
SHA256 9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70
SHA512 3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986

C:\Users\Admin\AppData\Local\Temp\honorablebutter.bat

MD5 4ba46eb8264924a7c2b426f585d1c2c3
SHA1 8fbc96590228889f0b4436b24b0936f00dd7c3f3
SHA256 9ee367357fb17e39d97f13914e511ed6387b461d2beb14c9acb3d8a04ac92b70
SHA512 3eae19048e2c45fb95b33b86a4b0777e60088c70d6984b06abc282ad4b328ca30d7c0128b4faedc3268cc30782289bae2c487bdb2ff8ed1e44256a015811f986

C:\Users\Admin\AppData\Local\Temp\absorbingworkable

MD5 0ef6ff6531a33e068f6167c80d8a332a
SHA1 47eed73820d55ff30571ede08c12adf5900f87f4
SHA256 5e294ba7f829f0a3e8667c785c51594445b79d10aabde031f7dba0e5b8d8dcc4
SHA512 f44cd161c5e4699049af624ce30879ef3d54193020a9d8a11ebd3f06874b828cb4248732e2c0dea0832884e1864c1396cdbba6abf70e3bbbd01fe8ae01f0655b

C:\Users\Admin\AppData\Local\Temp\parsimoniousdidactic.dll

MD5 344de2ad2b2e208ff24808486f32a99c
SHA1 9802a9af76cb2816a995213da7fdd7d416b29e47
SHA256 2f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e
SHA512 f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a

C:\Users\Admin\AppData\Local\Temp\parsimoniousdidactic.dll

MD5 344de2ad2b2e208ff24808486f32a99c
SHA1 9802a9af76cb2816a995213da7fdd7d416b29e47
SHA256 2f33c537e2c5f63e3f856b2814afb21e53081d7ae29f57d37dd26c10250c426e
SHA512 f86ed7addc42b43f3c99e60be97adce3c9e421398e38cac85d6a8bc165ea4efd3d3280e0441727ecd174cb68890734fb817cb6db905bf919edf6e72150bbae4a

memory/4120-9699-0x000000006D7C0000-0x000000006DB41000-memory.dmp

memory/4120-9698-0x00000000005C0000-0x00000000005E1000-memory.dmp

memory/4120-9700-0x00000000005C0000-0x00000000005E1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 11:45

Reported

2023-10-26 11:48

Platform

win7-20231025-en

Max time kernel

121s

Max time network

124s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\kroschke.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\kroschke.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-26 11:45

Reported

2023-10-26 11:48

Platform

win10v2004-20231023-en

Max time kernel

143s

Max time network

148s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\kroschke.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\kroschke.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

N/A