Malware Analysis Report

2025-04-14 08:00

Sample ID 231101-tqslcaca63
Target INVOICE_87016385.js
SHA256 afad9b62a94c1a4a51d6ec252c80f93e875d234e448b3a92e0435276dd4f8837
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

afad9b62a94c1a4a51d6ec252c80f93e875d234e448b3a92e0435276dd4f8837

Threat Level: Known bad

The file INVOICE_87016385.js was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-01 16:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-01 16:16

Reported

2023-11-01 16:21

Platform

win7-20231020-en

Max time kernel

120s

Max time network

140s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_87016385.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_87016385.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_87016385.js" "C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat" && "C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat"

C:\Windows\system32\findstr.exe

findstr /V strongcurious ""C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode watchbumpy continueapologise.dll

C:\Windows\system32\regsvr32.exe

regsvr32 continueapologise.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\downtownnotice.bat

MD5 534860a3a2a1ff00741586ef5bc75580
SHA1 8f638188191e3539c288265aa3dc76ef3b68676b
SHA256 afad9b62a94c1a4a51d6ec252c80f93e875d234e448b3a92e0435276dd4f8837
SHA512 1887e5d06e2f8b9b7b95358517c6c7cd47ac2afcf27a5810255df0f6178d6015bc2e8df176ca62f28117db7ec921bc6e7bc32d0dad5c02ea082628734ed6453e

C:\Users\Admin\AppData\Local\Temp\downtownnotice.bat

MD5 534860a3a2a1ff00741586ef5bc75580
SHA1 8f638188191e3539c288265aa3dc76ef3b68676b
SHA256 afad9b62a94c1a4a51d6ec252c80f93e875d234e448b3a92e0435276dd4f8837
SHA512 1887e5d06e2f8b9b7b95358517c6c7cd47ac2afcf27a5810255df0f6178d6015bc2e8df176ca62f28117db7ec921bc6e7bc32d0dad5c02ea082628734ed6453e

C:\Users\Admin\AppData\Local\Temp\watchbumpy

MD5 1d48fd778f97a6de0da164e177cee7ff
SHA1 44acb8b0cb1b78f787a79f6a3feffe4c3f834004
SHA256 efa7388305de84157a5becba06a30852502bdf3daa6fec7090c92f3c8184e05b
SHA512 5c8b49c0c7917598a3925a62f74b8be2fc095fd4570113d2c877bd792bd068ce07a6669367659310bd0d69fd01ee94d4227adaaaacc9f130ee0c552fd15f069c

C:\Users\Admin\AppData\Local\Temp\continueapologise.dll

MD5 19ca30743fe72edf7bd26724d9086b84
SHA1 fbd5cc2e90817c689934994612027c2eb50c328b
SHA256 fd46a8fbf3c4ad0c102c3ea0e7927c7a7fd15934c02fa6b1be18266de250b97b
SHA512 f5447c2d209fb404f632cd8089e40f5443a32c63f63b4e189b3c5117391fe55eef6330b9deb817ba89647285f55d1f7590e0e94f7121c7d7fc24b056f3f18fea

\Users\Admin\AppData\Local\Temp\continueapologise.dll

MD5 19ca30743fe72edf7bd26724d9086b84
SHA1 fbd5cc2e90817c689934994612027c2eb50c328b
SHA256 fd46a8fbf3c4ad0c102c3ea0e7927c7a7fd15934c02fa6b1be18266de250b97b
SHA512 f5447c2d209fb404f632cd8089e40f5443a32c63f63b4e189b3c5117391fe55eef6330b9deb817ba89647285f55d1f7590e0e94f7121c7d7fc24b056f3f18fea

memory/2480-4705-0x0000000000120000-0x0000000000141000-memory.dmp

memory/2480-4706-0x000000006D7C0000-0x000000006DA55000-memory.dmp

memory/2480-4707-0x0000000000120000-0x0000000000141000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-01 16:16

Reported

2023-11-01 16:19

Platform

win10v2004-20231023-en

Max time kernel

141s

Max time network

198s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_87016385.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 408 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1504 wrote to memory of 408 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 408 wrote to memory of 780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 408 wrote to memory of 780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 408 wrote to memory of 3772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 408 wrote to memory of 3772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 408 wrote to memory of 1932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 408 wrote to memory of 1932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_87016385.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_87016385.js" "C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat" && "C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat"

C:\Windows\system32\findstr.exe

findstr /V strongcurious ""C:\Users\Admin\AppData\Local\Temp\\downtownnotice.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode watchbumpy continueapologise.dll

C:\Windows\system32\regsvr32.exe

regsvr32 continueapologise.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\downtownnotice.bat

MD5 534860a3a2a1ff00741586ef5bc75580
SHA1 8f638188191e3539c288265aa3dc76ef3b68676b
SHA256 afad9b62a94c1a4a51d6ec252c80f93e875d234e448b3a92e0435276dd4f8837
SHA512 1887e5d06e2f8b9b7b95358517c6c7cd47ac2afcf27a5810255df0f6178d6015bc2e8df176ca62f28117db7ec921bc6e7bc32d0dad5c02ea082628734ed6453e

C:\Users\Admin\AppData\Local\Temp\downtownnotice.bat

MD5 534860a3a2a1ff00741586ef5bc75580
SHA1 8f638188191e3539c288265aa3dc76ef3b68676b
SHA256 afad9b62a94c1a4a51d6ec252c80f93e875d234e448b3a92e0435276dd4f8837
SHA512 1887e5d06e2f8b9b7b95358517c6c7cd47ac2afcf27a5810255df0f6178d6015bc2e8df176ca62f28117db7ec921bc6e7bc32d0dad5c02ea082628734ed6453e

C:\Users\Admin\AppData\Local\Temp\watchbumpy

MD5 1d48fd778f97a6de0da164e177cee7ff
SHA1 44acb8b0cb1b78f787a79f6a3feffe4c3f834004
SHA256 efa7388305de84157a5becba06a30852502bdf3daa6fec7090c92f3c8184e05b
SHA512 5c8b49c0c7917598a3925a62f74b8be2fc095fd4570113d2c877bd792bd068ce07a6669367659310bd0d69fd01ee94d4227adaaaacc9f130ee0c552fd15f069c

C:\Users\Admin\AppData\Local\Temp\continueapologise.dll

MD5 19ca30743fe72edf7bd26724d9086b84
SHA1 fbd5cc2e90817c689934994612027c2eb50c328b
SHA256 fd46a8fbf3c4ad0c102c3ea0e7927c7a7fd15934c02fa6b1be18266de250b97b
SHA512 f5447c2d209fb404f632cd8089e40f5443a32c63f63b4e189b3c5117391fe55eef6330b9deb817ba89647285f55d1f7590e0e94f7121c7d7fc24b056f3f18fea

C:\Users\Admin\AppData\Local\Temp\continueapologise.dll

MD5 19ca30743fe72edf7bd26724d9086b84
SHA1 fbd5cc2e90817c689934994612027c2eb50c328b
SHA256 fd46a8fbf3c4ad0c102c3ea0e7927c7a7fd15934c02fa6b1be18266de250b97b
SHA512 f5447c2d209fb404f632cd8089e40f5443a32c63f63b4e189b3c5117391fe55eef6330b9deb817ba89647285f55d1f7590e0e94f7121c7d7fc24b056f3f18fea

memory/1932-4705-0x0000000002B10000-0x0000000002B31000-memory.dmp

memory/1932-4706-0x000000006D7C0000-0x000000006DA55000-memory.dmp