strela | 15cacb4f952177a2bbe3834a8c2217aa6ef5b78a8cd8af42ada9ff5a992292fc

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11074822014705.js
Size

6.5MB
MD5

8e75c8837c8288c2abd1c4ae364bb553
SHA1

5cf4550318b5f2eaca312149f06f5872f531785a
SHA256

15cacb4f952177a2bbe3834a8c2217aa6ef5b78a8cd8af42ada9ff5a992292fc
SHA512

1a7cacdeca0fbc0115674e41ce4ed68051c706928a2ee87121218908af2e9bbf01c7f3bce12f9facaf98a9b0a86a10f8f6e51cd073ff346ccda3c0e020275aa1
SSDEEP

24576:aM28t5oydiys4k1XWk6uyBWXJCirWqXNGLH5HvuVLptpWqm6xVowk8dppKEvzVBi:Ns47TiwQ5x2uA1Y0fm1nmlUiUbUN

Score

10^/10

strela stealer

Malware Config

Extracted

Family

strela

193.109.85.77

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 1 IoCs

pid	Process
2716	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2716	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2088	1264	wscript.exe	28
PID 1264 wrote to memory of 2088	1264	wscript.exe	28
PID 1264 wrote to memory of 2088	1264	wscript.exe	28
PID 2088 wrote to memory of 1712	2088	cmd.exe	30
PID 2088 wrote to memory of 1712	2088	cmd.exe	30
PID 2088 wrote to memory of 1712	2088	cmd.exe	30
PID 2088 wrote to memory of 2312	2088	cmd.exe	31
PID 2088 wrote to memory of 2312	2088	cmd.exe	31
PID 2088 wrote to memory of 2312	2088	cmd.exe	31
PID 2088 wrote to memory of 2716	2088	cmd.exe	32
PID 2088 wrote to memory of 2716	2088	cmd.exe	32
PID 2088 wrote to memory of 2716	2088	cmd.exe	32
PID 2088 wrote to memory of 2716	2088	cmd.exe	32
PID 2088 wrote to memory of 2716	2088	cmd.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\11074822014705.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\11074822014705.js" "C:\Users\Admin\AppData\Local\Temp\\smoggywhiteoddelectric.bat" && "C:\Users\Admin\AppData\Local\Temp\\smoggywhiteoddelectric.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\system32\findstr.exe
    findstr /V amusescintillatingthunderingdeadpan ""C:\Users\Admin\AppData\Local\Temp\\smoggywhiteoddelectric.bat""
    3⤵
    PID:1712
- - C:\Windows\system32\certutil.exe
    certutil -f -decode trueterrificdebonairfireman harassbegabhorrentnotice.dll
    3⤵
    PID:2312
- - C:\Windows\system32\regsvr32.exe
    regsvr32 harassbegabhorrentnotice.dll
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\harassbegabhorrentnotice.dll

Filesize
4.8MB

MD5
384dac3b43bea5b51b862675b3f46cad

SHA1
0ff5b5440e2fee3b5846c887d38560fc9e99bb00

SHA256
3efc0fc3ce934509a40e83f2414bcc2708b5c111a1ddb2441f3704243fb4e2dc

SHA512
cdbf723866cc2aee637f840e351493a839a9614c7f4f6b1740ae8ee5aa676c76c5093085ff57c101188e48a2ca4480ee6ed6f6285fe9de43b0a9e6df77f154c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\smoggywhiteoddelectric.bat

Filesize
6.5MB

MD5
8e75c8837c8288c2abd1c4ae364bb553

SHA1
5cf4550318b5f2eaca312149f06f5872f531785a

SHA256
15cacb4f952177a2bbe3834a8c2217aa6ef5b78a8cd8af42ada9ff5a992292fc

SHA512
1a7cacdeca0fbc0115674e41ce4ed68051c706928a2ee87121218908af2e9bbf01c7f3bce12f9facaf98a9b0a86a10f8f6e51cd073ff346ccda3c0e020275aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\smoggywhiteoddelectric.bat

Filesize
6.5MB

MD5
8e75c8837c8288c2abd1c4ae364bb553

SHA1
5cf4550318b5f2eaca312149f06f5872f531785a

SHA256
15cacb4f952177a2bbe3834a8c2217aa6ef5b78a8cd8af42ada9ff5a992292fc

SHA512
1a7cacdeca0fbc0115674e41ce4ed68051c706928a2ee87121218908af2e9bbf01c7f3bce12f9facaf98a9b0a86a10f8f6e51cd073ff346ccda3c0e020275aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\trueterrificdebonairfireman

Filesize
6.4MB

MD5
987844df8910f57e337f9309419d3998

SHA1
f95606120a8cdd0305d889df88a128d4d396824d

SHA256
2347fe92811a8952b8783b2419872500f08060a58bb2415429f802044233da0b

SHA512
a72383aa46bbfae75480fd2347da1a50df69ddb3b8dc1cb1cab1604e41b9732dbd2021ae656a3a74671194a272d9c4aedffa5ad036b46882049a640986807c66

Download Submit
\Users\Admin\AppData\Local\Temp\harassbegabhorrentnotice.dll

Filesize
4.8MB

MD5
384dac3b43bea5b51b862675b3f46cad

SHA1
0ff5b5440e2fee3b5846c887d38560fc9e99bb00

SHA256
3efc0fc3ce934509a40e83f2414bcc2708b5c111a1ddb2441f3704243fb4e2dc

SHA512
cdbf723866cc2aee637f840e351493a839a9614c7f4f6b1740ae8ee5aa676c76c5093085ff57c101188e48a2ca4480ee6ed6f6285fe9de43b0a9e6df77f154c2

Download Submit
memory/2716-3578-0x000000006D7C0000-0x000000006DC8E000-memory.dmp

Filesize
4.8MB

Download
memory/2716-3579-0x0000000000200000-0x0000000000221000-memory.dmp

Filesize
132KB

Download
memory/2716-3580-0x0000000000200000-0x0000000000221000-memory.dmp

Filesize
132KB

Download