Malware Analysis Report

2025-04-14 07:59

Sample ID 231027-mmgaksfd38
Target ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116
SHA256 ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116

Threat Level: Known bad

The file ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116 was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-27 10:34

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-27 10:34

Reported

2023-10-27 10:37

Platform

win10v2004-20231023-en

Max time kernel

141s

Max time network

145s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-27 10:34

Reported

2023-10-27 10:37

Platform

win7-20231023-en

Max time kernel

121s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js" "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat" && "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat"

C:\Windows\system32\findstr.exe

findstr /V yvvtruptgthopkwxilzrbnttxkusosxnsktfhipvmptiypaxuf ""C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

C:\Windows\system32\rundll32.exe

rundll32 dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll,x

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat

MD5 5439e605a33011803acd31ef4f2475cd
SHA1 aeda29b5df8c6c32675a645c89e78cd1cb9263d0
SHA256 93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98
SHA512 3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc

C:\Users\Admin\AppData\Local\Temp\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat

MD5 5439e605a33011803acd31ef4f2475cd
SHA1 aeda29b5df8c6c32675a645c89e78cd1cb9263d0
SHA256 93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98
SHA512 3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc

C:\Users\Admin\AppData\Local\Temp\wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt

MD5 bbc12e812d451b56e262307e517a7a07
SHA1 d2cc933d7b98dfe76c8806cf7b3727cf208dfecd
SHA256 6d17a199731628ae7af3c92b5d1f465d494137f1e324deb3efebc768152bc869
SHA512 1fde0d39343018877833e6f3121b4513a8d951a30660a91819e74863087e6c13a9fa95bb659ad6fc4d4321017e2721bf9f6f659cc881ff753cdfd53b08e87755

C:\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

MD5 1376545af4612c696f527acb2e5de091
SHA1 59fdb448fc3169edb06cae100063444df9118397
SHA256 b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512 ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

MD5 1376545af4612c696f527acb2e5de091
SHA1 59fdb448fc3169edb06cae100063444df9118397
SHA256 b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512 ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

MD5 1376545af4612c696f527acb2e5de091
SHA1 59fdb448fc3169edb06cae100063444df9118397
SHA256 b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512 ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

MD5 1376545af4612c696f527acb2e5de091
SHA1 59fdb448fc3169edb06cae100063444df9118397
SHA256 b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512 ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

MD5 1376545af4612c696f527acb2e5de091
SHA1 59fdb448fc3169edb06cae100063444df9118397
SHA256 b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512 ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

memory/2664-44-0x000000006D7C0000-0x000000006D88D000-memory.dmp

memory/2664-45-0x0000000000100000-0x0000000000121000-memory.dmp

memory/2664-46-0x0000000000100000-0x0000000000121000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-27 10:34

Reported

2023-10-27 10:37

Platform

win10v2004-20231025-en

Max time kernel

143s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 5084 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2576 wrote to memory of 5084 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 5084 wrote to memory of 2540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 5084 wrote to memory of 2540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 5084 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 5084 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 5084 wrote to memory of 388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 5084 wrote to memory of 388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\PDF20378644327750.js" "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat" && "C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat"

C:\Windows\system32\findstr.exe

findstr /V yvvtruptgthopkwxilzrbnttxkusosxnsktfhipvmptiypaxuf ""C:\Users\Admin\AppData\Local\Temp\\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

C:\Windows\system32\rundll32.exe

rundll32 dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll,x

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat

MD5 5439e605a33011803acd31ef4f2475cd
SHA1 aeda29b5df8c6c32675a645c89e78cd1cb9263d0
SHA256 93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98
SHA512 3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc

C:\Users\Admin\AppData\Local\Temp\mqexivbxzbkovimwlxmrsmetjysoxrkjksgakqzdabgxmepqec.bat

MD5 5439e605a33011803acd31ef4f2475cd
SHA1 aeda29b5df8c6c32675a645c89e78cd1cb9263d0
SHA256 93e09d0986bdd1d746ce39d79fc60f1e35fec9c1aa1b6b972eeec07fc35f8e98
SHA512 3f078ebb4e5e8478671f100e2629e6f74abfa97bf9957a55f26e34069886788086b95d366972eb4f74f4c29408af79562a0681dae53088f1920b37262641d0fc

C:\Users\Admin\AppData\Local\Temp\wuqjfjqrimhlcxkpxujramgvuryubmullhokhoecqzwywpbhqt

MD5 bbc12e812d451b56e262307e517a7a07
SHA1 d2cc933d7b98dfe76c8806cf7b3727cf208dfecd
SHA256 6d17a199731628ae7af3c92b5d1f465d494137f1e324deb3efebc768152bc869
SHA512 1fde0d39343018877833e6f3121b4513a8d951a30660a91819e74863087e6c13a9fa95bb659ad6fc4d4321017e2721bf9f6f659cc881ff753cdfd53b08e87755

C:\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

MD5 1376545af4612c696f527acb2e5de091
SHA1 59fdb448fc3169edb06cae100063444df9118397
SHA256 b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512 ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

C:\Users\Admin\AppData\Local\Temp\dcbqkeqohsqwnvvmaoxofnkxawfszdvtipeouuhovogpeitvxs.dll

MD5 1376545af4612c696f527acb2e5de091
SHA1 59fdb448fc3169edb06cae100063444df9118397
SHA256 b3360f58635cd7da41100b0292dce3ede14948998be759206144f772b7757cb1
SHA512 ca53730bb20ed5f39f643f82510b2f592e7221be44c08c5c81db2d6400f098bcd022d338806c73233648c5111f9b4790feb2e23db83fd49447fb678efba727e7

memory/388-42-0x000000006D7C0000-0x000000006D88D000-memory.dmp

memory/388-41-0x0000026833800000-0x0000026833821000-memory.dmp

memory/388-43-0x0000026833800000-0x0000026833821000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-27 10:34

Reported

2023-10-27 10:37

Platform

win7-20231023-en

Max time kernel

120s

Max time network

124s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ffe80d865af4c953b234439472765196180795a26dc96223ec250c1bb01bd116.zip

Network

N/A

Files

N/A