Malware Analysis Report

2025-01-18 09:30

Sample ID 240202-r8q45aahbk
Target quisisana-ag.zip
SHA256 cf5f5b0a1d18d969ed91d3c5b3c43b043da5f753ac7e6d584cea2805be6fc283
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf5f5b0a1d18d969ed91d3c5b3c43b043da5f753ac7e6d584cea2805be6fc283

Threat Level: Known bad

The file quisisana-ag.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 14:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 14:52

Reported

2024-02-02 14:54

Platform

win7-20231215-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js" "C:\Users\Admin\\vaguetongue.bat" && "C:\Users\Admin\\vaguetongue.bat"

C:\Windows\system32\findstr.exe

findstr /V agreetrick ""C:\Users\Admin\\vaguetongue.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode insidiouswall ladybugwork.dll

C:\Windows\system32\rundll32.exe

rundll32 ladybugwork.dll,main

Network

N/A

Files

C:\Users\Admin\vaguetongue.bat

MD5 c587f03e38a7ca5ac023ef8745264eb4
SHA1 a01598d9c8812f2609f0a868c8e44a81ad3c0685
SHA256 1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a
SHA512 e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816

C:\Users\Admin\vaguetongue.bat

MD5 23bec89b6b4e73b890e6373139e1b510
SHA1 d84d91af2f42c977b61a6ee5a5ff5c825abbb5fa
SHA256 0b172321d9251d2348df4291672ee7307e7c97100072bd9e765cce99bb13127c
SHA512 31e54378d606ecbc46b6f7caba9c7bb6b2914180a2e254bc88e5aa2587b815ec3a372eb779072f79c8a2174240512272eabf60a7abf3ba11c9e8445bb25c5dda

C:\Users\Admin\insidiouswall

MD5 20d4ef96f2f9caa7370ff1ad48c45fec
SHA1 3e0050926e1053b98ec31f4cbf605fc4a4f6f649
SHA256 c156b77e4b3ab8420ed28b9ef833a9f5347599b8105f437cf528eb8a5b94cc61
SHA512 61926516dbb1074fc3d4440113c90d4648cd68df51b8b78cce512aca10824638c3df7aa3fde3dd03e17a4327043ee65feba2c94829e1a4ab9248a4b0f8986ea5

C:\Users\Admin\ladybugwork.dll

MD5 890552c641f835a3c95cff37c723dd03
SHA1 091e988bc7a0964f0f4f5713963a2c10dd55eb69
SHA256 74dba4602420500949cc29d49b1a3a4c2eda117a57e8b381e160ea776e0a7aca
SHA512 ae91a294130995e928e4a70be92cb805d37c6f7cf8cd243c559d76592d3c10d43be9175a42274a0cfd22ae9fe0da7f37a6402e19ca2e68475a0ba2fe658843fd

\Users\Admin\ladybugwork.dll

MD5 38a8e89fa048a9e16da38ed856b0de7a
SHA1 1d10e416ad37270b52a9fea220b14b83a478b510
SHA256 1fd09bae3d70c44ae72babbe071c0ef0b1553bb807b20e8b625802e5a7e9bad1
SHA512 ba7da3fa6f804e1f743aadf199d838136acf3458ba774b7590f04925b2c0b3161dc7693db0e1ffba25f8486da27897c8414d48b0a8747c393eb7c3811acfe711

\Users\Admin\ladybugwork.dll

MD5 325026c11fbe6981a88e05ef236fbb60
SHA1 8ec4f01340d6810b0f2b58f0854892f0a14db606
SHA256 17b6adf1b6e29a589bff2bed3b4288cf3edcda6f84a131377c8c64e942323c53
SHA512 72be7001376f9c47a70b7f32bb7cbce08f94296f296a715968e15683a2a13108980f074afab0bd9b7e245da3ba604a89cb3a0160349b433b2d9ac857e0d0552f

\Users\Admin\ladybugwork.dll

MD5 2576ea62768fb301fe7db961e005ee21
SHA1 e985dd24f96fa26b803dbc573465820007bfe304
SHA256 ca2f8f9266aefefad9b32479aca3acf74a814b4670daf6ffe8e6c305fdd1f203
SHA512 574ec796787e8eb5466c542cfa886115ebf24a802feefbb38e1eea49a07acd49b87fd202862bc139472a1fe35089475a00541d9c083c029d3eb0459537773bb9

\Users\Admin\ladybugwork.dll

MD5 9a1a23f5933c216e489a7f70aaf59b3d
SHA1 850542e45108caed0785f3b97e98ec12c176c685
SHA256 20175eaff3959a9e83350e9086cf9d892344b52ec88606c5be74103be1eef793
SHA512 94154a9019f912062fe541cee7ac3847ef0c3da3db9dd58bc52f2ca443e78e9d2058da1c87b1e03e996862423f4025053ac2d46bbfdc90b16e7f6dc0ae24974b

memory/2832-2009-0x0000000000110000-0x0000000000133000-memory.dmp

memory/2832-2008-0x000007FEF5A30000-0x000007FEF5BA2000-memory.dmp

memory/2832-2010-0x0000000000110000-0x0000000000133000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 14:52

Reported

2024-02-02 14:54

Platform

win10v2004-20231215-en

Max time kernel

129s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 1764 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1096 wrote to memory of 1764 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1764 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1764 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1764 wrote to memory of 4360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1764 wrote to memory of 4360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1764 wrote to memory of 3196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1764 wrote to memory of 3196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\24946_15193478413494.js" "C:\Users\Admin\\vaguetongue.bat" && "C:\Users\Admin\\vaguetongue.bat"

C:\Windows\system32\findstr.exe

findstr /V agreetrick ""C:\Users\Admin\\vaguetongue.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode insidiouswall ladybugwork.dll

C:\Windows\system32\rundll32.exe

rundll32 ladybugwork.dll,main

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\vaguetongue.bat

MD5 c587f03e38a7ca5ac023ef8745264eb4
SHA1 a01598d9c8812f2609f0a868c8e44a81ad3c0685
SHA256 1bf9722c0d8d00609a12614e512f662ea693a8d22a8854ccfcb2de8ca858d16a
SHA512 e6ee7687dddc0e23717c42ba2bf0b46cc19dcf3ff557c5be3e06fbea3e82520f5fa39afa315ff78408d812308ae04ed10a9e3cfa837a4ac5e11d9c4989f4d816

C:\Users\Admin\insidiouswall

MD5 73c7a5a0060662b6d39adb4933d83d7e
SHA1 97c0a2102a6398047b0256316f235279e74afe3d
SHA256 dfd5b00748f07ce813bbf47c4128912ed5517b1e9fd1a1d6f5eeb6c4e2e751b5
SHA512 629b6439e44a4ba8dc502228ca269a8e9e8b7ea9b7459b2565c467d0ed059db8cf0f58f25d7cd7c4892cae52c8c52f87c818e4cd36235d7c648d5b27cb450084

C:\Users\Admin\ladybugwork.dll

MD5 172a0cf1298ee04df575d6fd591ec63c
SHA1 29fab1e4477846d226c7e81994958137992a6aed
SHA256 f7df69f6ccb0e06757846ef8e5d4e02026757981b3cdcc7dcf4fd1598c24222c
SHA512 6cc1740825c4da4d3623dd982613c7581410d007d37ac76277683592f562e080101cd1eee40a1b96fd86683b5db887452596fd87e413c6c6570dcac9113dfae8

C:\Users\Admin\ladybugwork.dll

MD5 6dcd37226bb68e40f5b6e58361bb0210
SHA1 bb2a47f726aa56a658822ce575b5363f5257047f
SHA256 639e341b9fc9d256a502d91b784798e09c77fabe6347567a8bbff9c0819c9037
SHA512 203ee3765f0073ae0d246cb0c4b6eab7d9d989a6487baef91bf8e52d57ee1d033564b0fee519612178e6343f3e1884bc16f959f2ea967b317cafba0048febf7f

memory/3196-2006-0x000001DA86B00000-0x000001DA86B23000-memory.dmp

memory/3196-2005-0x00007FFF3C0F0000-0x00007FFF3C262000-memory.dmp

memory/3196-2007-0x000001DA86B00000-0x000001DA86B23000-memory.dmp