Malware Analysis Report

2025-01-18 09:29

Sample ID 240126-pfngesegar
Target quisisana-ag.zip
SHA256 24b66cae1fbf63a8983289c8084c5b6b9533ef1f6f66e83513a0daa43ce0f008
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24b66cae1fbf63a8983289c8084c5b6b9533ef1f6f66e83513a0daa43ce0f008

Threat Level: Known bad

The file quisisana-ag.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 12:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 12:16

Reported

2024-01-26 12:19

Platform

win7-20231215-en

Max time kernel

118s

Max time network

118s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\22345804828167.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 1996 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 1996 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 1996 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1996 wrote to memory of 1508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1996 wrote to memory of 1508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1996 wrote to memory of 1508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1996 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1996 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1996 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1996 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1996 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1996 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2044 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2044 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\22345804828167.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\22345804828167.js" "C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat" && "C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat"

C:\Windows\system32\findstr.exe

findstr /V sootheflat ""C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode uncoveredconfused brainyarm.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 brainyarm.dll,m

C:\Windows\system32\rundll32.exe

rundll32 brainyarm.dll,m

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\learnedscarce.bat

MD5 f92b29698a9b7636387d229b5a7b50d0
SHA1 316420cbd0c0caec4248ed8cfed142788a8fb65b
SHA256 ab47b00a09c5fd60dc4b10a6f28a35d544868c60306e7c6e99f293642eb145cb
SHA512 44168a5798d54d8dff4840f8c7fad7210dbe18b9cdcd7340d4ee55649b1d7771e56db92f6162b2cc750a196c34d7a00f9d877e96bc896f3ef4324ff0a56597e0

C:\Users\Admin\AppData\Local\Temp\learnedscarce.bat

MD5 60e2ff683eaddef5aaddda1bd3ee7ea7
SHA1 4e94ed84ea0e838ba2da2173868c5f227cea8392
SHA256 4baaf14d0f1adc879c79b0a234b30330a93ea3fd1d8050ac5910ce40236a067a
SHA512 5db582af4de3e0243474b8637282aed3e089e55b5124e712d4f0d230dd0879fd2a921acce2bf5b7ed1cf4fdf1173b98b46b1fd42d544ce7e45acd852ba971564

C:\Users\Admin\AppData\Local\Temp\uncoveredconfused

MD5 9ed108d12af975096039a82c16546669
SHA1 9e0253a42d67cbc02be1eab6a2c86ca6ac0a901e
SHA256 56f29bdfd72403e3f332c3e8f49e1809a1c0c19e02b413fa080debd8d9a41f87
SHA512 faf7ca28c7d09d5a8ecf1b79debc31bce1913b8e0900419310766187bd158efb1c9af25c45aa5cd709ac0171b2d5c57cdd4b8636d97c3e9d0b45c3973cfff3f2

\Users\Admin\AppData\Local\Temp\brainyarm.dll

MD5 7b42faf5885b0cfbbe9650a86d9de863
SHA1 56a7e53367a9bca1bce8f4bdf47935bb6a4dc141
SHA256 4f23f48134caaccd478871b61b2fe4430e4299727b6fc88a8f47b79ab4bcf83a
SHA512 b4d15cad65434f227c10e023ac3004610d47b5e84150e038b150cf2251f77d6e1bbb435844296819cd2c6245dc3cc1f52e3e5d81aa0f7228fbf5de5c5d06efbe

\Users\Admin\AppData\Local\Temp\brainyarm.dll

MD5 d93d651d119de6c5e14a93cba101f592
SHA1 00ff722d49fb9eb4aeb81cf831bfb55987f72afc
SHA256 2a303aca1f09faa8a3d43ab18c7c12b9bb59466f0794704c7f6f5792a6ed351f
SHA512 184de176a4d26dbb79c20d8c441ebf7c56b21e8215332ade746c232fe23abd94ad1f05268b21b4f07b5ee7946965b0d6e7c67462256ed987af8c72ada791fcc6

\Users\Admin\AppData\Local\Temp\brainyarm.dll

MD5 8fb33febbe402ac7c5610f974e9a55e0
SHA1 2ee55f76b26da8724ec57b4047e2a97bce202ac5
SHA256 34055365b3eb337d24f22d730cff24bde4402d03f25947048a46ece92bbd5bde
SHA512 1cd713afdec5744b94ba13182f922cba790eb6acdf50435d75b87ffc5b33f0cffb7fd2e94167807519b7df28f5dd474ffb2bd34d6e3d0102610c1539cb0eb753

\Users\Admin\AppData\Local\Temp\brainyarm.dll

MD5 344f3318e79655d0c3d08bc5f521f70f
SHA1 7da121d62e597ff5d86af21fe323d239ac72bba7
SHA256 4d5895ecb53a11e809f9c81d1e1feebc429a0652cabbc6cbb1a33330aeb3e380
SHA512 a6d1a8ffecb29c37ae86a35ff288a6b8ef3a37abd1481170d3e861253972ca52a62b0d7858fbdd3912750c42981c8771f74ae46687c2e40374f77e10654cb8b5

C:\Users\Admin\AppData\Local\Temp\brainyarm.dll

MD5 005acd749b6bb0c7bf595883d781c3fa
SHA1 64bc4e0dc03321ad68d1dd4b5db90a1556a65910
SHA256 0c1928e750bb49588e29b043b76fbb7fcde080c99b8d82d1195348b0925100e2
SHA512 51b9fb853def4cdd8d4b46882bd83fd43d19024172aff324d144b45a12c3f3282cffc4370e51ab787b61e2aed15ef925d3fe83ae3b51dff29cae2804b5505cac

memory/1596-1552-0x0000000001DC0000-0x0000000001DE3000-memory.dmp

memory/1596-1551-0x000007FEF6100000-0x000007FEF61E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 12:16

Reported

2024-01-26 12:19

Platform

win10v2004-20231215-en

Max time kernel

136s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\22345804828167.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 3180 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2472 wrote to memory of 3180 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3180 wrote to memory of 5064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 3180 wrote to memory of 5064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 3180 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 3180 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 3180 wrote to memory of 4872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 4872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4872 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4872 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\22345804828167.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\22345804828167.js" "C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat" && "C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat"

C:\Windows\system32\findstr.exe

findstr /V sootheflat ""C:\Users\Admin\AppData\Local\Temp\\learnedscarce.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode uncoveredconfused brainyarm.dll

C:\Windows\system32\rundll32.exe

rundll32 brainyarm.dll,m

C:\Windows\system32\cmd.exe

cmd /c rundll32 brainyarm.dll,m

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\learnedscarce.bat

MD5 60e2ff683eaddef5aaddda1bd3ee7ea7
SHA1 4e94ed84ea0e838ba2da2173868c5f227cea8392
SHA256 4baaf14d0f1adc879c79b0a234b30330a93ea3fd1d8050ac5910ce40236a067a
SHA512 5db582af4de3e0243474b8637282aed3e089e55b5124e712d4f0d230dd0879fd2a921acce2bf5b7ed1cf4fdf1173b98b46b1fd42d544ce7e45acd852ba971564

C:\Users\Admin\AppData\Local\Temp\uncoveredconfused

MD5 963b1b331221d562001ebc2330a2f996
SHA1 b2cbebc4f5512ad437622e75cb200812614134ee
SHA256 e5110fb49b5a087b2c8dc47f6aff7d92954023fd16a29ed3e138d1ea6714c3ea
SHA512 141f9db15bebe92306255dc05a1b132eedabc01c8297d86b03dcba3fd520d8464d766830f05f3f52dcc4550dbbb72b149c7e40377aac947df2bf4b1154624d42

C:\Users\Admin\AppData\Local\Temp\brainyarm.dll

MD5 3d97638a09af4d6690008936993ba12d
SHA1 cc3c922260d0dacbfda3245c8fd298695fb8c136
SHA256 649d05ad0a76df62028fbb776f9bbdea19e39cbe8f03d6a233f7c297565e06b1
SHA512 016b569fd5b3d8e1ab97fc025a3876dc6159a8e16b6b54a695f367e67b513d9060dc5e846dba4ef66b5ee33e39cdd8626e51afbf1f879569329d7ff4bcc52a18

memory/4416-1548-0x000002E1EFDA0000-0x000002E1EFDC3000-memory.dmp

memory/4416-1549-0x00007FFC89590000-0x00007FFC89675000-memory.dmp