Malware Analysis Report

2025-01-18 09:30

Sample ID 240112-mkhqmafab5
Target saarbrueckerzeitung.zip
SHA256 cd9975d1ae504146c3b5a8f80097b89616ea752b88d43d474b44ea4cbd4909f6
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd9975d1ae504146c3b5a8f80097b89616ea752b88d43d474b44ea4cbd4909f6

Threat Level: Known bad

The file saarbrueckerzeitung.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-12 10:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-12 10:31

Reported

2024-01-12 10:34

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2292 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2796 wrote to memory of 2292 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2796 wrote to memory of 2292 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2292 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2292 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2292 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2292 wrote to memory of 1968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 1968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 1968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1968 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1968 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js" "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat" && "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat"

C:\Windows\system32\findstr.exe

findstr /V formfamiliar ""C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode jellyfascinated pastoraldisturbed.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 pastoraldisturbed.dll,x

C:\Windows\system32\rundll32.exe

rundll32 pastoraldisturbed.dll,x

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\rhythmmask.bat

MD5 a3134285c9755a420030fc7622e231e1
SHA1 eae99bc500c42855c20852865a1dec2f3dfff4d0
SHA256 a9a57b924cfe5f9fe8df1eb5fcc94ef1d4644c3fdc78e5630ed286e479fde3d4
SHA512 be70a5a2132a49a866736dbac9680aeeeff7284fe7f684802f6dfb7aee9942bf347e2901f9c79ebe14ecc9e5e2a23227ddb8439f993d0528148f78b8fdac75b3

C:\Users\Admin\AppData\Local\Temp\rhythmmask.bat

MD5 0a2442a55a7c864f5521f77692123503
SHA1 f13f71c1ae76f37aa764baf9116424c9ee6c2bab
SHA256 b73e9d1ef20dc259a939b0156bdef390b7b06791726d7c39e68e0bd4d138f8da
SHA512 fb275a65ed287b8f5ffc10576015e45ed1770dae74846e5cdf98e680a51b915791b79e48bf3dbbbaf9bef652220f662603bcc684f89ef37354022f1d561f335b

C:\Users\Admin\AppData\Local\Temp\jellyfascinated

MD5 d13b3301032f805c7ef6c4db65ab7517
SHA1 e41ef07de3d051e5b48e26e3ee9bef3655df2b1c
SHA256 7535ebd4df3bd62a496c03ba8cf206a90975617822509bb1dbd3201898b1f542
SHA512 099f1aad424a74cbc4ebe76356be6370796ad26ecf3eb9e212df8e100fadc00eff5dc8e3b1376f2a8d683a904d7b22394c1420a42bf6be8f843cce4e1c06fd17

C:\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll

MD5 d49ebbe435403196599ac66609fb9ed6
SHA1 0078e421e01c7dd1f0a07b02ce81acfb8a814996
SHA256 5bf9a3416abddcb0761f9dae2512ac2d840d23f1b3ae870fef73dd249c48a26b
SHA512 d7b129a10c6f4792302178a8799b7bd9b3197b1548a1fa35817f0671bdef8088f3c50dc894615b9b8fddc5deadb30ea2db8665e53d5f40bf79a15a79391285bf

\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll

MD5 a3d946e2257b73855ec73e7e88f678ec
SHA1 59f744b63e0b7b3f96a3fd547e1f3ee2f55264e3
SHA256 b7d09a665f1cef173b356cb5e247e8772191509aeb4bb9207702a7086772a5fa
SHA512 73c0fd2834f19f4195163f79f1b5d7087e65897ae1fc4371bf9f565ae7128d518f702b435b41b5a87687f0b3aba47f77bf26660db5b13a94418a298a77887802

\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll

MD5 6614f476fb63899ad46ba6a16d63acdf
SHA1 7893c04aab53ed46bb619d9daa09d3eea6d13b27
SHA256 2efc86df4c610345726344329166b23c603ad65d4f4568dafc2be4ae87f487d7
SHA512 5690dd8ace834d17d76f20935de9e0efea60233ca498f15bebd8a74e9a75098b99f0763ace1f81631e0dc8bb9b5a7124cce126b51c508d439ca53d3d48684d53

\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll

MD5 36300033218ae6f442138fa587d16fa8
SHA1 c7f7d45b26844016feebd482849e04117508492e
SHA256 a879db27e8045ea131a84cb620062b16420393a3503432efd3bbab7c03135140
SHA512 45738d3ac27834fde52fcd4fb232eb1abbfa8b60f44cc6aa107bddd852cddaafc33a3980d347a119238295bd0bf0e031eba22b3ff0aaf65e7b551475f9dc4732

\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll

MD5 a9e2379ab5ea2bf143d3a6c1fc32cae2
SHA1 0168e1e0824a3034043aac75e3181cc4d2bcd3cc
SHA256 ebec35dbc6046aea1baa205c83eca4cb34c914481845c1d61c94721e8b20a5fb
SHA512 b260f2eed9778951087741a2b8ead05c234eaf7e32afa966740f6b13ad1bb4a1ae79c0494c55baeeeec7df8dfaa28d749f3d8f208739da6e748100f15527b166

memory/1728-6837-0x000007FEF57B0000-0x000007FEF5B95000-memory.dmp

memory/1728-6838-0x0000000000100000-0x0000000000121000-memory.dmp

memory/1728-6839-0x0000000000100000-0x0000000000121000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-12 10:31

Reported

2024-01-12 10:34

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 4672 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 392 wrote to memory of 4672 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4672 wrote to memory of 3444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4672 wrote to memory of 3444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4672 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4672 wrote to memory of 2416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4672 wrote to memory of 1760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4672 wrote to memory of 1760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1760 wrote to memory of 772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_17885_2045310320.js" "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat" && "C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat"

C:\Windows\system32\findstr.exe

findstr /V formfamiliar ""C:\Users\Admin\AppData\Local\Temp\\rhythmmask.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode jellyfascinated pastoraldisturbed.dll

C:\Windows\system32\rundll32.exe

rundll32 pastoraldisturbed.dll,x

C:\Windows\system32\cmd.exe

cmd /c rundll32 pastoraldisturbed.dll,x

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 96.17.178.211:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\rhythmmask.bat

MD5 a3134285c9755a420030fc7622e231e1
SHA1 eae99bc500c42855c20852865a1dec2f3dfff4d0
SHA256 a9a57b924cfe5f9fe8df1eb5fcc94ef1d4644c3fdc78e5630ed286e479fde3d4
SHA512 be70a5a2132a49a866736dbac9680aeeeff7284fe7f684802f6dfb7aee9942bf347e2901f9c79ebe14ecc9e5e2a23227ddb8439f993d0528148f78b8fdac75b3

C:\Users\Admin\AppData\Local\Temp\jellyfascinated

MD5 f25ccc6a8ea2939b56ba49c565315a09
SHA1 dd7e6834d648fc6e23a4e786f663f6b8956822a0
SHA256 650cf0f80f4a18c0ace89fcc09782c2cfbe3c5b4326dc30e731bf06325fbeee3
SHA512 d9da2bff35c1362b4b6422bc17ae8b5f264a697d0d4af9c3c8d8f7bcce8b327e994399f9fa619e9f63c66d505da73232c0832327b3b084c1fe6649f8761aca89

C:\Users\Admin\AppData\Local\Temp\pastoraldisturbed.dll

MD5 8c895b48f64861004d2b88f62c01822f
SHA1 00fee5c36ad5037b48d4ed031d485a1a20245258
SHA256 20e1ff405cc7cae8fceb2a885198ce75db79f47a1e96972948a17a86ebf31345
SHA512 bc99b7fb3079bed612f0814267ed7acb6901e4259785abda4cf2e8ab50feb2c6a6012bb403ea521dd478783f76edd0bf2362feceed4bee06287aad55536c4697

memory/772-6834-0x00007FF9A8400000-0x00007FF9A87E5000-memory.dmp

memory/772-6835-0x0000015E59720000-0x0000015E59741000-memory.dmp

memory/772-6836-0x0000015E59720000-0x0000015E59741000-memory.dmp