Malware Analysis Report

2025-01-18 09:29

Sample ID 240126-pm2mmaehfr
Target quisisana-ag.zip
SHA256 46c6bedc6f4bfdfae1c0ae378ca649c115187c722e7786002b180ced07135a7d
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46c6bedc6f4bfdfae1c0ae378ca649c115187c722e7786002b180ced07135a7d

Threat Level: Known bad

The file quisisana-ag.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 12:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 12:27

Reported

2024-01-26 12:30

Platform

win7-20231215-en

Max time kernel

118s

Max time network

119s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\28325142147799.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2292 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2336 wrote to memory of 2292 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2336 wrote to memory of 2292 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2292 wrote to memory of 1244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 1244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 1244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 1220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2292 wrote to memory of 1220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2292 wrote to memory of 1220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2292 wrote to memory of 2040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2040 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2040 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\28325142147799.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28325142147799.js" "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat" && "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat"

C:\Windows\system32\findstr.exe

findstr /V ricehat ""C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode tinsoak heapswim.dll

C:\Windows\system32\rundll32.exe

rundll32 heapswim.dll,m

C:\Windows\system32\cmd.exe

cmd /c rundll32 heapswim.dll,m

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\suspectfeeble.bat

MD5 e142b6e92af05edd784ecea426ea62ae
SHA1 4b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e
SHA256 4b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322
SHA512 a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3

C:\Users\Admin\AppData\Local\Temp\tinsoak

MD5 696299aca72ee3192632033a0ddc3a8c
SHA1 f584645bef95dbbcb0bcb5373fa2994333065fb0
SHA256 600865ff3dff1938f2ac6d007e75b7e63b3f786eb0f5d17ec824c00ee44e70fa
SHA512 33a2144fb0dcd2b6d33065cb63650e7d6a67ff7473549d79cc26d1fa3e6a35262e4a2dd7f08ad1b2e7fe619768af1aef46625c2f2810e8c82cec09eca6ea5e2a

\Users\Admin\AppData\Local\Temp\heapswim.dll

MD5 5ddd27670ad2f96f60f647fb11a40144
SHA1 3ac045fc6232695d50be3f53851fd7e99e5acc7c
SHA256 224bd873f90ae81f72370091401fc6b5e696073858337b2ebaf545f71aea5e0a
SHA512 3de20a736326e6ebddda839d28deaff53ec7ebf1dd0e91349fd6880e4a946ab2ac4ce1f6ea39cd08b5f35c8361a91851afa1be344bb92e73048778286246a9ca

\Users\Admin\AppData\Local\Temp\heapswim.dll

MD5 062b9f193bad0d4ec3629e8267cc4fcf
SHA1 a90705eb7d8777b8790a5075ec7dea38137558e2
SHA256 92c95056a5785ba6b3d328e1b361053d2e57e7d8842a7b2f37ba0a71e58af12c
SHA512 67b651a04c8ed3139c8fe3d50c6ea7160dcf530d38d7d973fec33350166989133a1b6c854b953c4c052049610307acedb5fefac17dbc9c5f02cfc79bedb51d31

\Users\Admin\AppData\Local\Temp\heapswim.dll

MD5 289cebd06358f2da993852c7d113dfd3
SHA1 d3e7cf03a69846104c6d2cddd50620cb56d7c001
SHA256 4d249b0e6c8ef4e3fd4e9de3458d9e4d50566aa660797418aa5e2b06dd9f2ba2
SHA512 85e40b742937c5d6f8a3e8ebdb080a5a31bc4f4235b3a7ed4d9b2053e89be79988a3bd5eefbb6bcc3e2f345a5b284e1830832a48e1e7d7d3c6aad9e0b1db8fdc

\Users\Admin\AppData\Local\Temp\heapswim.dll

MD5 9416e6675854a25cd39e3fc0b1276651
SHA1 b8b9abcfeb6da90f0232feb1a3852741639a937e
SHA256 fd683f8c3e8ca5b3f78a9175f7deb61b6c4ebcd3d3ac0cb199f8b53f3dfe8d87
SHA512 b1f1ebd36df70db8b57f4906e604a5947c1bc8f554c9d5b789d78414f6dfbcc0b9847a0ec95fce4ada188ca18b0202a2340b47e4dc626d20ee934c91a13f7eea

C:\Users\Admin\AppData\Local\Temp\heapswim.dll

MD5 dd76999007aa8afa4f8e690bdb5111ac
SHA1 49c22b414e983d073c684830b3a3bbbdf1f9f14a
SHA256 6f60d359d59b31d01bbf061837683fa0463c89bc7479950f2d1ce04bf8b77599
SHA512 4f5f559178781d8d95bf10e67c485f3232b5612d732d0d4d4e01368b9662abe0cf72e96895ffbd77215c17a0264a979843e52d10f158b110b75cf819a7a17de7

memory/1004-1385-0x0000000000390000-0x00000000003B3000-memory.dmp

memory/1004-1384-0x000007FEF6F50000-0x000007FEF7009000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 12:27

Reported

2024-01-26 12:30

Platform

win10v2004-20231215-en

Max time kernel

135s

Max time network

144s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\28325142147799.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 3156 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1172 wrote to memory of 3156 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3156 wrote to memory of 3692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 3156 wrote to memory of 3692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 3156 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 3156 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 3156 wrote to memory of 3632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 3632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3632 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3632 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\28325142147799.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\28325142147799.js" "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat" && "C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat"

C:\Windows\system32\findstr.exe

findstr /V ricehat ""C:\Users\Admin\AppData\Local\Temp\\suspectfeeble.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode tinsoak heapswim.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 heapswim.dll,m

C:\Windows\system32\rundll32.exe

rundll32 heapswim.dll,m

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\suspectfeeble.bat

MD5 e142b6e92af05edd784ecea426ea62ae
SHA1 4b4a1e8489acef2c4a27dfe4f9de1b2e4a14f86e
SHA256 4b2fb816282af672a02dd4f13fff81f00f6f3825c7c9329dca4bf934412b8322
SHA512 a69d6958f60427fcf8e66c41a6b64e9033eb6504aaf05d5be62a849efcf113996dfd14a24d256fab43e53e4694c3a5f19bd3a298052c793f346fe4d04f34cee3

C:\Users\Admin\AppData\Local\Temp\tinsoak

MD5 9ed413fb2d65047ce18bdd9bd2d738a7
SHA1 dbcdb9612ac5c51f3940f0e28377e749153beb72
SHA256 cbb12b164a282becaae013b43a7b948bf3e9a913340cc35dd0d915720bfde909
SHA512 403d48fd20c2d0e807064af5acf978a7329833229700f18b7f170b313853f8a345782a2541817c945742f7752b38a848c4230298f1bf4920dfcaa859a8f4ded9

C:\Users\Admin\AppData\Local\Temp\heapswim.dll

MD5 e369903ea87d49ddf23c1682a5e8d01e
SHA1 0b50b560770cf44c8d95286d7d67fa27871f7d1a
SHA256 80a58fc6fc8ce8929996f6cd56b97cb729cf8bfe2b07c02b112b6b6d96f02423
SHA512 359dd3a3c2341c5f0fd5c60538bf0c10f8efbf818376a2f049bc2f9f5c5fe9c9d9d2077da115e28ea9b0fa69961df68eaa667fd220402b9eb4eb679969df2a09

memory/4548-1381-0x00007FFDEF0B0000-0x00007FFDEF169000-memory.dmp

memory/4548-1382-0x00000209FFA40000-0x00000209FFA63000-memory.dmp