Malware Analysis Report

2025-01-18 09:30

Sample ID 240122-ly19fsdfel
Target INVOICE_1877_1553532450.js
SHA256 14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394

Threat Level: Known bad

The file INVOICE_1877_1553532450.js was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 09:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 09:57

Reported

2024-01-22 09:59

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 288 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1988 wrote to memory of 288 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1988 wrote to memory of 288 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 288 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 288 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 288 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 288 wrote to memory of 2200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 288 wrote to memory of 2200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 288 wrote to memory of 2200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 288 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 288 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 288 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2344 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2344 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"

C:\Windows\system32\findstr.exe

findstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode mammothsofa bulbignorant.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 bulbignorant.dll,x

C:\Windows\system32\rundll32.exe

rundll32 bulbignorant.dll,x

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

MD5 f881dc8019be31fdefa607eea19c521b
SHA1 3f15ab42749f8bdfe1b330efa60f87dfc8b3fb0e
SHA256 40d68d0aa11664fed7d0ce2ec88ad202fc8aeaed69e18f778f972dfe54428733
SHA512 511c1286c282b609ad212a0b8c052a7f0670b559d75877fda38d88b77608634be522daefcb7662bec40dfce696b6696b5cad949318f81132ba3c536257c60c6e

C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

MD5 34bcdbd3855b4a4354f3cd03e608440a
SHA1 6a8bf0531a981e6f567782801c5cfc0ef9f01a91
SHA256 14ff76924ff2f4102e06ba9f9109311e296c3d07bf5fc0cd888c93b69b545394
SHA512 55483251feda3c1ccdff42767458333aa737052d0e2c51ad1be5f1615202d3f2407cd2c3d1ca8d4e151cae3e6ca21e6fde5a4b4e5b7906b91964c9320e6e94a7

C:\Users\Admin\AppData\Local\Temp\mammothsofa

MD5 633c0f0851caf2cc44727718ba335e68
SHA1 03447d779de01b237608abf5b1dc6892d36bc16c
SHA256 a440269f7867a54e58003b82929a525092827a6ab1d8d2cb298608b289c3beb9
SHA512 928c1cb57f938c14b736c7002d6a6d51d2d3234501d466bc72432477c06077ef243d7819f99f4da1996291b3f1c31d134b83d98950427f594a65c2dc28fb029c

C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll

MD5 acbc87f5ccf78f85146fb26690299bd1
SHA1 38d3f664f1a240937147e6870c1ad1478e761e62
SHA256 c7fd534680b7119ac17af963a6f3dfc97c3894808276f284e87385cf49b285ba
SHA512 10f52a3fa495613e4fad514af7664e19df0420056d9b1d447ad779293b02658fee264fa0d383994f5b415f88cec7079d92ca9737cf4bdf30117b7130ca04bd5c

memory/1656-8429-0x0000000000130000-0x0000000000151000-memory.dmp

memory/1656-8428-0x000007FEF5990000-0x000007FEF5D7D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 09:57

Reported

2024-01-22 09:59

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2100 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2280 wrote to memory of 2100 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2100 wrote to memory of 1388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2100 wrote to memory of 1388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2100 wrote to memory of 1420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2100 wrote to memory of 1420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2100 wrote to memory of 3260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2100 wrote to memory of 3260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3260 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3260 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\INVOICE_1877_1553532450.js" "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat" && "C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat"

C:\Windows\system32\findstr.exe

findstr /V skillfulmerciful ""C:\Users\Admin\AppData\Local\Temp\\faithfulpossessive.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode mammothsofa bulbignorant.dll

C:\Windows\system32\rundll32.exe

rundll32 bulbignorant.dll,x

C:\Windows\system32\cmd.exe

cmd /c rundll32 bulbignorant.dll,x

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

MD5 400cf18ddcf85d59ef822b48410c6c9b
SHA1 5f3ec44cccacdd894f299dd8e674d3a7fc45e5d1
SHA256 6bae24e1e106d6baa2c18da16514573825af6487e08283b862ae9e862b1065b8
SHA512 dd8f9c7da4eac3f2b47da3f97e65d3ec7c99c4471edf0fc66b3764157bee6112f27cf16cdcbb12f49f9451f9e4b6fd87252f2b213cefb95ae46eaa6888229e3f

C:\Users\Admin\AppData\Local\Temp\faithfulpossessive.bat

MD5 f9104f2cf870c336d319af8c9908673f
SHA1 ca2fed90d1697e69b1d98b924bc3f06433de9fa2
SHA256 32e23b71e2083b679cda0eef6c7fad5d3be4e9c2d748fb386c9d51f22726344b
SHA512 526e64749cf4ea55b2a3e6239999190bd84ba34ff70ce30a0b4da8d296652d527ec562f2abb7e136d146a2a02cd6ea9d5d07d91c7e60eed07e6b1ab5f8c4ec8e

C:\Users\Admin\AppData\Local\Temp\mammothsofa

MD5 750009d104c5ce1e8bcb00d65e266c52
SHA1 7ec4778f49ce97b9774930f49ad08226eee3dd3a
SHA256 140a48ec38493e88764cfbf194261a6d34bb84cc4ec1bb85bff13d6342513468
SHA512 675c98c794f1b9a10aeae876b27f68c39166f84f5c4404940d9f397ea5315708a57e65d953b9fbcf3b2074fab9b273823cb2f92cde223482d38cf46e7b771ba1

C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll

MD5 7fdbd8e5f40aa26c7408acb5135e9ba6
SHA1 5f930542d15501871418a366950a047be575f6c7
SHA256 9db302ae39116a3cc5141b2a1e3d75f504b90d1e2a534e84b7d14d8fae50ead4
SHA512 584fe9740fb0f6911dc1c2a163781f616546d16236520b776af31a974ded10a9b74b463130e69fa90e7b900692a7dc2b6e4b5bade84c0e14bfd3222377f2bb40

C:\Users\Admin\AppData\Local\Temp\bulbignorant.dll

MD5 5546cd9ff3bc480656fa5a10b24b52bd
SHA1 31a71df7f6b3f891cc0a86b0282bf92390c99889
SHA256 1044e9f48523fa7656749a7495ae041b47d14f6d800048831a3a2788064e0264
SHA512 5bd0aa223a1714d6478e8d2b3cd9002fe4b151bba233fc07da184d7209eafc3b104dcaac833595867517a5c8cf218f1a4d90b1318631a218db620b7454d4e0e7

memory/1892-8425-0x00007FFCA0520000-0x00007FFCA090D000-memory.dmp

memory/1892-8426-0x0000013908060000-0x0000013908081000-memory.dmp