strela | 46c6bedc6f4bfdfae1c0ae378ca649c115187c722e7786002b180ced07135a7d

General

Target

28325142147799.js
Size

959KB
MD5

e142b6e92af05edd784ecea426ea62ae
SHA1

4b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e
SHA256

4b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322
SHA512

a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3
SSDEEP

12288:H2DjmKxUlG7TcTEeHeauBdjGjNzWpEq0mqRVb86XFXZZSLY72i9TMY6Sms9aFG4M:WZU67qe/p9dtkoH2

Score

10^/10

strela stealer

Malware Config

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1004 rundll32.exe
1004 rundll32.exe
1004 rundll32.exe
1004 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

wscript.execmd.execmd.exe

description	pid	process	target process
PID 2336 wrote to memory of 2292	2336	wscript.exe	cmd.exe
PID 2336 wrote to memory of 2292	2336	wscript.exe	cmd.exe
PID 2336 wrote to memory of 2292	2336	wscript.exe	cmd.exe
PID 2292 wrote to memory of 1244	2292	cmd.exe	findstr.exe
PID 2292 wrote to memory of 1244	2292	cmd.exe	findstr.exe
PID 2292 wrote to memory of 1244	2292	cmd.exe	findstr.exe
PID 2292 wrote to memory of 1220	2292	cmd.exe	certutil.exe
PID 2292 wrote to memory of 1220	2292	cmd.exe	certutil.exe
PID 2292 wrote to memory of 1220	2292	cmd.exe	certutil.exe
PID 2292 wrote to memory of 2040	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 2040	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 2040	2292	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1004	2040	cmd.exe	rundll32.exe
PID 2040 wrote to memory of 1004	2040	cmd.exe	rundll32.exe
PID 2040 wrote to memory of 1004	2040	cmd.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\28325142147799.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28325142147799.js" "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat" && "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\system32\findstr.exe
findstr /V ricehat ""C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat""
3⤵
PID:1244

C:\Windows\system32\certutil.exe
certutil -f -decode tinsoak heapswim.dll
3⤵
PID:1220

C:\Windows\system32\cmd.exe
cmd /c rundll32 heapswim.dll,m
3⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\rundll32.exe
rundll32 heapswim.dll,m
1⤵
- Loads dropped DLL
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\heapswim.dll

Filesize
76KB

MD5
dd76999007aa8afa4f8e690bdb5111ac

SHA1
49c22b414e983d073c684830b3a3bbbdf1f9f14a

SHA256
6f60d359d59b31d01bbf061837683fa0463c89bc7479950f2d1ce04bf8b77599

SHA512
4f5f559178781d8d95bf10e67c485f3232b5612d732d0d4d4e01368b9662abe0cf72e96895ffbd77215c17a0264a979843e52d10f158b110b75cf819a7a17de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\suspectfeeble.bat

Filesize
959KB

MD5
e142b6e92af05edd784ecea426ea62ae

SHA1
4b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e

SHA256
4b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322

SHA512
a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tinsoak

Filesize
423KB

MD5
696299aca72ee3192632033a0ddc3a8c

SHA1
f584645bef95dbbcb0bcb5373fa2994333065fb0

SHA256
600865ff3dff1938f2ac6d007e75b7e63b3f786eb0f5d17ec824c00ee44e70fa

SHA512
33a2144fb0dcd2b6d33065cb63650e7d6a67ff7473549d79cc26d1fa3e6a35262e4a2dd7f08ad1b2e7fe619768af1aef46625c2f2810e8c82cec09eca6ea5e2a

Download Submit
\Users\Admin\AppData\Local\Temp\heapswim.dll

Filesize
49KB

MD5
9416e6675854a25cd39e3fc0b1276651

SHA1
b8b9abcfeb6da90f0232feb1a3852741639a937e

SHA256
fd683f8c3e8ca5b3f78a9175f7deb61b6c4ebcd3d3ac0cb199f8b53f3dfe8d87

SHA512
b1f1ebd36df70db8b57f4906e604a5947c1bc8f554c9d5b789d78414f6dfbcc0b9847a0ec95fce4ada188ca18b0202a2340b47e4dc626d20ee934c91a13f7eea

Download Submit
\Users\Admin\AppData\Local\Temp\heapswim.dll

Filesize
23KB

MD5
5ddd27670ad2f96f60f647fb11a40144

SHA1
3ac045fc6232695d50be3f53851fd7e99e5acc7c

SHA256
224bd873f90ae81f72370091401fc6b5e696073858337b2ebaf545f71aea5e0a

SHA512
3de20a736326e6ebddda839d28deaff53ec7ebf1dd0e91349fd6880e4a946ab2ac4ce1f6ea39cd08b5f35c8361a91851afa1be344bb92e73048778286246a9ca

Download Submit
\Users\Admin\AppData\Local\Temp\heapswim.dll

Filesize
58KB

MD5
289cebd06358f2da993852c7d113dfd3

SHA1
d3e7cf03a69846104c6d2cddd50620cb56d7c001

SHA256
4d249b0e6c8ef4e3fd4e9de3458d9e4d50566aa660797418aa5e2b06dd9f2ba2

SHA512
85e40b742937c5d6f8a3e8ebdb080a5a31bc4f4235b3a7ed4d9b2053e89be79988a3bd5eefbb6bcc3e2f345a5b284e1830832a48e1e7d7d3c6aad9e0b1db8fdc

Download Submit
\Users\Admin\AppData\Local\Temp\heapswim.dll

Filesize
49KB

MD5
062b9f193bad0d4ec3629e8267cc4fcf

SHA1
a90705eb7d8777b8790a5075ec7dea38137558e2

SHA256
92c95056a5785ba6b3d328e1b361053d2e57e7d8842a7b2f37ba0a71e58af12c

SHA512
67b651a04c8ed3139c8fe3d50c6ea7160dcf530d38d7d973fec33350166989133a1b6c854b953c4c052049610307acedb5fefac17dbc9c5f02cfc79bedb51d31

Download Submit
memory/1004-1385-0x0000000000390000-0x00000000003B3000-memory.dmp

Filesize
140KB

Download
memory/1004-1384-0x000007FEF6F50000-0x000007FEF7009000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing