strela | a2e6bd6582e3002fbd8230007f23047fcacd7ddc071a287e42f54cf4572db5fe

Resubmissions

21-01-2025 14:40

09-11-2023 10:14

max time kernel
48s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2023 10:14

Target

slopewell-offculturedairplane.bat
Size

403KB
MD5

41447efea024e6158c5711c4982af676
SHA1

b52c1b3849249cc0504b82833c8610b4167cd0b1
SHA256

a2e6bd6582e3002fbd8230007f23047fcacd7ddc071a287e42f54cf4572db5fe
SHA512

d5a29e3b264672b33049984030443f505b573137636420c9b29ddf258a118cb1089caa859ce8f89da2cc1d37607fc8454a19385b77926ea793a6c8c9f77ead1b
SSDEEP

6144:SNGQJKf11ZZewEP7eXGON4FhDGTcJoBY1zWi9qgsgUpQ47GK+:SZKd7ZewaON4FhDGTcJk7i9xbUc

Score

10^/10

strela stealer

Family

strela

193.109.85.77

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 1 IoCs

pid	Process
3640	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 3832	5108	cmd.exe	88
PID 5108 wrote to memory of 3832	5108	cmd.exe	88
PID 5108 wrote to memory of 2860	5108	cmd.exe	89
PID 5108 wrote to memory of 2860	5108	cmd.exe	89
PID 5108 wrote to memory of 3640	5108	cmd.exe	90
PID 5108 wrote to memory of 3640	5108	cmd.exe	90

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\slopewell-offculturedairplane.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\system32\findstr.exe
  findstr /V officebaiteggsexpect "C:\Users\Admin\AppData\Local\Temp\slopewell-offculturedairplane.bat"
  2⤵
  PID:3832
- C:\Windows\system32\certutil.exe
  certutil -f -decode advicediscoverjeansupbeat energeticliverelyamused.dll
  2⤵
  PID:2860
- C:\Windows\system32\regsvr32.exe
  regsvr32 energeticliverelyamused.dll
  2⤵
  - Loads dropped DLL
  PID:3640

C:\Users\Admin\AppData\Local\Temp\advicediscoverjeansupbeat

Filesize
303KB

MD5
3de4c4dddf82847e0418a9d1390a7d05

SHA1
6f00c75e9edc101872f3619f2906e2647335e1b2

SHA256
2d3612d43407870a6d59beebae4f726d9cbcef2127f600facda949251fcefcc7

SHA512
8ab0ccaf715b37c8c180a3bab37584513c37edf734ce58a3a901fc8c13f823be42d062f2d85a3aac3fe7f28f4ab0158c198e89946f7d0b59f40e44b3ebb4f4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\energeticliverelyamused.dll

Filesize
227KB

MD5
b87b94262e7ee819933cc0ed51cf665c

SHA1
0094d6ead5447d3e74f6c08a03d65b8ed47b2bde

SHA256
e534b69015fec9196a1cbd77664b40f8ac474385c06ed2385321417b7c1b26a4

SHA512
d05a9d48f612ef88f43f84da351dfce73f3c7c2c536b4e5512d4449288a478b5102e572266efdbf0c0f70e4bdbd1561b2c040e4a6306e27f9f7f01fa562ec1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\energeticliverelyamused.dll

Filesize
227KB

MD5
b87b94262e7ee819933cc0ed51cf665c

SHA1
0094d6ead5447d3e74f6c08a03d65b8ed47b2bde

SHA256
e534b69015fec9196a1cbd77664b40f8ac474385c06ed2385321417b7c1b26a4

SHA512
d05a9d48f612ef88f43f84da351dfce73f3c7c2c536b4e5512d4449288a478b5102e572266efdbf0c0f70e4bdbd1561b2c040e4a6306e27f9f7f01fa562ec1a9

Download Submit
memory/3640-5-0x0000000001260000-0x0000000001281000-memory.dmp

Filesize
132KB

Download
memory/3640-6-0x000000006D7C0000-0x000000006D800000-memory.dmp

Filesize
256KB

Download