Malware Analysis Report

2025-01-18 09:30

Sample ID 240202-bqtvascham
Target 6a6c6d9614e572fedbfb8d2eb108bb42.bin
SHA256 16dbe515cf6abb556aeec4f89f837af4fb66f8d279dcd05832cc9b9eb9c29d4f
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16dbe515cf6abb556aeec4f89f837af4fb66f8d279dcd05832cc9b9eb9c29d4f

Threat Level: Known bad

The file 6a6c6d9614e572fedbfb8d2eb108bb42.bin was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 01:21

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 01:21

Reported

2024-02-02 01:24

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 4888 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1468 wrote to memory of 4888 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4888 wrote to memory of 4944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4888 wrote to memory of 4944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4888 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4888 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4888 wrote to memory of 4716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4888 wrote to memory of 4716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js" "C:\Users\Admin\\pleasantobject.bat" && "C:\Users\Admin\\pleasantobject.bat"

C:\Windows\system32\findstr.exe

findstr /V militarysnore ""C:\Users\Admin\\pleasantobject.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode shakyinconclusive gatewoman.dll

C:\Windows\system32\rundll32.exe

rundll32 gatewoman.dll,main

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\pleasantobject.bat

MD5 6a6c6d9614e572fedbfb8d2eb108bb42
SHA1 347b37c4eb1c9d6f6d18d7ec13291436b43bab79
SHA256 23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b
SHA512 e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499

C:\Users\Admin\shakyinconclusive

MD5 6423b4a456dc34d7c6f67740aaa371fa
SHA1 d9d4c432b60581b9d8b3fdd55e781ce5ff5e6df5
SHA256 25abcd9fb9ee09402dbc40b58466283739f223932fef07239f11548af088e9b4
SHA512 31c99c287ad497c14f70bd99163e9304952f662089b774ebbc94bf70c07e27ecc683d9e4ace957f17028883c0643e55a0e5ffcceaacc33e95ffd9f748c61b181

C:\Users\Admin\gatewoman.dll

MD5 d5f35509799fe456a67d41558f1b0f80
SHA1 c7d1cb4541fadc69dc2f3a6f04b2940600d12e5c
SHA256 ae1388f95f2678b7b6aabaf430b646710cdea10850c2556fbfcc0fb068e6fe4e
SHA512 a9ed4db26bde7a085678ad15fb01e6be0ff4af0c8ffc5f6cdde99d9141b01e6889dbe2f172ae1723f479e0c75488eee6a7a6e79a7529c4dbb95381a80a1c6e48

memory/4716-1415-0x00007FFA32080000-0x00007FFA3218E000-memory.dmp

memory/4716-1416-0x0000021761160000-0x0000021761183000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 01:21

Reported

2024-02-02 01:24

Platform

win7-20231215-en

Max time kernel

118s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b.js" "C:\Users\Admin\\pleasantobject.bat" && "C:\Users\Admin\\pleasantobject.bat"

C:\Windows\system32\findstr.exe

findstr /V militarysnore ""C:\Users\Admin\\pleasantobject.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode shakyinconclusive gatewoman.dll

C:\Windows\system32\rundll32.exe

rundll32 gatewoman.dll,main

Network

N/A

Files

C:\Users\Admin\pleasantobject.bat

MD5 6a6c6d9614e572fedbfb8d2eb108bb42
SHA1 347b37c4eb1c9d6f6d18d7ec13291436b43bab79
SHA256 23107ced99838695bf4391c1271bafce47fad96e95b28f52df0a060038f80a7b
SHA512 e7b0a9980f6a08c709ce251baf43553c1799dd7593ad8620d80aeaa1366934072bfd40edbc4d3b6660e8c31b6a74577ad34eb7fd93a3685ac4504eed58c22499

C:\Users\Admin\shakyinconclusive

MD5 6423b4a456dc34d7c6f67740aaa371fa
SHA1 d9d4c432b60581b9d8b3fdd55e781ce5ff5e6df5
SHA256 25abcd9fb9ee09402dbc40b58466283739f223932fef07239f11548af088e9b4
SHA512 31c99c287ad497c14f70bd99163e9304952f662089b774ebbc94bf70c07e27ecc683d9e4ace957f17028883c0643e55a0e5ffcceaacc33e95ffd9f748c61b181

C:\Users\Admin\gatewoman.dll

MD5 d5f35509799fe456a67d41558f1b0f80
SHA1 c7d1cb4541fadc69dc2f3a6f04b2940600d12e5c
SHA256 ae1388f95f2678b7b6aabaf430b646710cdea10850c2556fbfcc0fb068e6fe4e
SHA512 a9ed4db26bde7a085678ad15fb01e6be0ff4af0c8ffc5f6cdde99d9141b01e6889dbe2f172ae1723f479e0c75488eee6a7a6e79a7529c4dbb95381a80a1c6e48

\Users\Admin\gatewoman.dll

MD5 d153ed33d30e2ddaf89bf9ee439b07e5
SHA1 7d97952ccbaae8ef669464b667e0566a301beb46
SHA256 117e67076bf63f47a24099cab489c90003e23989442e57c42c381dbdf460dbe6
SHA512 e4afff2ac31fff6876b1b7165d2d4aaaa484bb051c02732e66fc2bc12a11bea90eb3135e3f13aec1b91a06deac057ada664f50761a333a95d457a6ffe4af1a2a

\Users\Admin\gatewoman.dll

MD5 1c0567e97eafda1b89ffef4c07203663
SHA1 8999360c907c3b8666560489fff27cb961f6696d
SHA256 b6f49829c861ae5f62fcefb7530216f569a5456a8b6be8b5cbea6034f337471c
SHA512 ed35582dfa1160c1bc1b9a53685f45a83b94567577622bd83037e53e0d4d65ab6703b3a67d72fadb8b4307b65b0f621a8bf72f0b4e6940e74c1a62efa65e766f

\Users\Admin\gatewoman.dll

MD5 383c9535bc906a81b652350b90fe8943
SHA1 ac03b4ced15266054e4d7b604629ed7bb5cfdab9
SHA256 f5a39c00cb381c72986c11668410e2a57b6f1b936236f5cf62480af3fcb41aec
SHA512 779926622aacb6ad1e93c3c19d9d8ea498546ad83c2e8e5f6f4bdde0304018cb41db0f88bb3c11015fd48dfc3be5b079d1ce100e4d0299cf4c62ba7064ed59f0

\Users\Admin\gatewoman.dll

MD5 412ae68a9ced8fb389a7048b5556597c
SHA1 abfdb7330d907734e704b7b06185886a82c1c3ef
SHA256 27d9881869e2cf3e551ca22189b0f5c59beb890726df478943b5218829eecafb
SHA512 00ca0b10cdbbc9733604c1a9112202ba7f255aefa4a41e4ba8544951885eb2f4e3d7ca768761c831f6bbc834906162ef2df79f45c9bc2c90e2e12bf978350605

memory/1408-1418-0x000007FEF6510000-0x000007FEF661E000-memory.dmp

memory/1408-1419-0x0000000000280000-0x00000000002A3000-memory.dmp