Malware Analysis Report

2025-01-18 09:30

Sample ID 240131-dldcvsadh9
Target 31012024_1105_iberimex.zip
SHA256 0dc793ea91ef452d4876409d24bb4b162528c2297052482b489f98a017834537
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dc793ea91ef452d4876409d24bb4b162528c2297052482b489f98a017834537

Threat Level: Known bad

The file 31012024_1105_iberimex.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-31 03:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 03:05

Reported

2024-01-31 03:08

Platform

win7-20231215-en

Max time kernel

117s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2236 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3048 wrote to memory of 2236 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3048 wrote to memory of 2236 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2236 wrote to memory of 904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2236 wrote to memory of 904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2236 wrote to memory of 904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2236 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2236 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2236 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2236 wrote to memory of 2220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 2220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 2220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2220 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2220 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2220 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\287212633216314.js" "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat" && "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat"

C:\Windows\system32\findstr.exe

findstr /V outrageousdepressed ""C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode zephyrhome tickettoys.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 tickettoys.dll,m

C:\Windows\system32\rundll32.exe

rundll32 tickettoys.dll,m

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\obtainfaint.bat

MD5 cd856039e0eadf0f5dfdcd036cb3edc9
SHA1 b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd
SHA256 805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16
SHA512 a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc

C:\Users\Admin\AppData\Local\Temp\zephyrhome

MD5 ec27c9d32b638666b649301419776e16
SHA1 1480c2bbd1de5aeed98401dca0378917461b9cfb
SHA256 a3df024a2c70213924c7e13f2f891d5fbfe6d1d46057076cd53bef17cb78ad21
SHA512 b360f85b7b6e0795afe1f7ca69dd0a0172199ba80b332af00d5110be2bd584b3cb08df0dbba384b32f15ef98a67ed4f045dd3b372717ab142890a8c7ed893efa

C:\Users\Admin\AppData\Local\Temp\tickettoys.dll

MD5 4cc26a2da2049ff4509091cdbf004c5e
SHA1 0bba8d2338b7db224047760a27c57afa02748f05
SHA256 3ad13a452ab86fb5eccbf0bf71f33700369fdd5114c3a8d13c52e722a1586312
SHA512 cabc55978155dfddc6e6f2bbfe712b66998c3858dc52680c9e99f5a8040c001e52d76093e77636f6b03ba63f4798a04dc12c9f8438a5bfe97ccd90ccd2da02de

memory/692-715-0x000007FEF7800000-0x000007FEF7848000-memory.dmp

memory/692-716-0x0000000000100000-0x0000000000123000-memory.dmp

memory/692-717-0x0000000000100000-0x0000000000123000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 03:05

Reported

2024-01-31 03:08

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3204 wrote to memory of 2484 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3204 wrote to memory of 2484 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2484 wrote to memory of 1836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2484 wrote to memory of 1836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2484 wrote to memory of 4900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2484 wrote to memory of 4900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2484 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2632 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\287212633216314.js" "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat" && "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat"

C:\Windows\system32\findstr.exe

findstr /V outrageousdepressed ""C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode zephyrhome tickettoys.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 tickettoys.dll,m

C:\Windows\system32\rundll32.exe

rundll32 tickettoys.dll,m

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\obtainfaint.bat

MD5 cd856039e0eadf0f5dfdcd036cb3edc9
SHA1 b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd
SHA256 805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16
SHA512 a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc

C:\Users\Admin\AppData\Local\Temp\zephyrhome

MD5 45bb4703b30d265f474073b79d575f7b
SHA1 e1e96b924e135ab196a858705d7d0d7faeb79089
SHA256 f23ad20f62511db7458b14aa5e26cdd310b9274a297f1cb87772ff5798fc061c
SHA512 92b519f6a9281aa082d178ac4811988955ddb317684b6becc8bb73b57e129dff977803646d9917a83c5b07114080213d5297529bbe6dc99fa03d3efc19b3cfda

C:\Users\Admin\AppData\Local\Temp\tickettoys.dll

MD5 4cc26a2da2049ff4509091cdbf004c5e
SHA1 0bba8d2338b7db224047760a27c57afa02748f05
SHA256 3ad13a452ab86fb5eccbf0bf71f33700369fdd5114c3a8d13c52e722a1586312
SHA512 cabc55978155dfddc6e6f2bbfe712b66998c3858dc52680c9e99f5a8040c001e52d76093e77636f6b03ba63f4798a04dc12c9f8438a5bfe97ccd90ccd2da02de

memory/2272-713-0x00000248580F0000-0x0000024858113000-memory.dmp

memory/2272-712-0x00007FFCFCD00000-0x00007FFCFCD48000-memory.dmp

memory/2272-714-0x00000248580F0000-0x0000024858113000-memory.dmp