strela | 16dbe515cf6abb556aeec4f89f837af4fb66f8d279dcd05832cc9b9eb9c29d4f

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 01:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js
Size

1.4MB
MD5

6a6c6d9614e572fedbfb8d2eb108bb42
SHA1

347b37c4eb1c9d6f6d18d7ec13291436b43bab79
SHA256

23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b
SHA512

e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499
SSDEEP

24576:68+ynjkFpqZ5YszaGTWeo2a2QQrcuCUw2eQBJeOsvWthPVtd9qu2X+DlvCu0903s:aN

Score

10^/10

strela stealer

Malware Config

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 4 IoCs

pid	Process
1408	rundll32.exe
1408	rundll32.exe
1408	rundll32.exe
1408	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2016	1664	wscript.exe	28
PID 1664 wrote to memory of 2016	1664	wscript.exe	28
PID 1664 wrote to memory of 2016	1664	wscript.exe	28
PID 2016 wrote to memory of 2400	2016	cmd.exe	30
PID 2016 wrote to memory of 2400	2016	cmd.exe	30
PID 2016 wrote to memory of 2400	2016	cmd.exe	30
PID 2016 wrote to memory of 2372	2016	cmd.exe	31
PID 2016 wrote to memory of 2372	2016	cmd.exe	31
PID 2016 wrote to memory of 2372	2016	cmd.exe	31
PID 2016 wrote to memory of 1408	2016	cmd.exe	32
PID 2016 wrote to memory of 1408	2016	cmd.exe	32
PID 2016 wrote to memory of 1408	2016	cmd.exe	32

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js" "C:\Users\Admin\\pleasantobject.bat" && "C:\Users\Admin\\pleasantobject.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\findstr.exe
    findstr /V militarysnore ""C:\Users\Admin\\pleasantobject.bat""
    3⤵
    PID:2400
- - C:\Windows\system32\certutil.exe
    certutil -f -decode shakyinconclusive gatewoman.dll
    3⤵
    PID:2372
- - C:\Windows\system32\rundll32.exe
    rundll32 gatewoman.dll,main
    3⤵
    - Loads dropped DLL
    PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\gatewoman.dll

Filesize
1.0MB

MD5
d5f35509799fe456a67d41558f1b0f80

SHA1
c7d1cb4541fadc69dc2f3a6f04b2940600d12e5c

SHA256
ae1388f95f2678b7b6aabaf430b646710cdea10850c2556fbfcc0fb068e6fe4e

SHA512
a9ed4db26bde7a085678ad15fb01e6be0ff4af0c8ffc5f6cdde99d9141b01e6889dbe2f172ae1723f479e0c75488eee6a7a6e79a7529c4dbb95381a80a1c6e48

Download Submit
C:\Users\Admin\pleasantobject.bat

Filesize
1.4MB

MD5
6a6c6d9614e572fedbfb8d2eb108bb42

SHA1
347b37c4eb1c9d6f6d18d7ec13291436b43bab79

SHA256
23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b

SHA512
e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499

Download Submit
C:\Users\Admin\shakyinconclusive

Filesize
1.4MB

MD5
6423b4a456dc34d7c6f67740aaa371fa

SHA1
d9d4c432b60581b9d8b3fdd55e781ce5ff5e6df5

SHA256
25abcd9fb9ee09402dbc40b58466283739f223932fef07239f11548af088e9b4

SHA512
31c99c287ad497c14f70bd99163e9304952f662089b774ebbc94bf70c07e27ecc683d9e4ace957f17028883c0643e55a0e5ffcceaacc33e95ffd9f748c61b181

Download Submit
\Users\Admin\gatewoman.dll

Filesize
542KB

MD5
d153ed33d30e2ddaf89bf9ee439b07e5

SHA1
7d97952ccbaae8ef669464b667e0566a301beb46

SHA256
117e67076bf63f47a24099cab489c90003e23989442e57c42c381dbdf460dbe6

SHA512
e4afff2ac31fff6876b1b7165d2d4aaaa484bb051c02732e66fc2bc12a11bea90eb3135e3f13aec1b91a06deac057ada664f50761a333a95d457a6ffe4af1a2a

Download Submit
\Users\Admin\gatewoman.dll

Filesize
857KB

MD5
412ae68a9ced8fb389a7048b5556597c

SHA1
abfdb7330d907734e704b7b06185886a82c1c3ef

SHA256
27d9881869e2cf3e551ca22189b0f5c59beb890726df478943b5218829eecafb

SHA512
00ca0b10cdbbc9733604c1a9112202ba7f255aefa4a41e4ba8544951885eb2f4e3d7ca768761c831f6bbc834906162ef2df79f45c9bc2c90e2e12bf978350605

Download Submit
\Users\Admin\gatewoman.dll

Filesize
531KB

MD5
383c9535bc906a81b652350b90fe8943

SHA1
ac03b4ced15266054e4d7b604629ed7bb5cfdab9

SHA256
f5a39c00cb381c72986c11668410e2a57b6f1b936236f5cf62480af3fcb41aec

SHA512
779926622aacb6ad1e93c3c19d9d8ea498546ad83c2e8e5f6f4bdde0304018cb41db0f88bb3c11015fd48dfc3be5b079d1ce100e4d0299cf4c62ba7064ed59f0

Download Submit
\Users\Admin\gatewoman.dll

Filesize
201KB

MD5
1c0567e97eafda1b89ffef4c07203663

SHA1
8999360c907c3b8666560489fff27cb961f6696d

SHA256
b6f49829c861ae5f62fcefb7530216f569a5456a8b6be8b5cbea6034f337471c

SHA512
ed35582dfa1160c1bc1b9a53685f45a83b94567577622bd83037e53e0d4d65ab6703b3a67d72fadb8b4307b65b0f621a8bf72f0b4e6940e74c1a62efa65e766f

Download Submit
memory/1408-1418-0x000007FEF6510000-0x000007FEF661E000-memory.dmp

Filesize
1.1MB

Download
memory/1408-1419-0x0000000000280000-0x00000000002A3000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads