strela | e8caf52bbaedb485fcfe0a3b3e9aa5cc5ae3bec03f1d348c5b15075d4e67ea9a

Analysis

max time kernel
140s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4035_4414671332562.js
Size

1.7MB
MD5

5691f001d9a83639c5f6fed3e999e090
SHA1

2ba3ef2e2cca6dfdf154b0565901b4da5833cab9
SHA256

7780f61445e2a2ca907d5f1292a02da7753c8959902ea54b1e4bc5bdb655d95e
SHA512

9a3188340367feab9734c183a7c43cc98a7de149ecfe3bff27e73de717d9826aa5eab1ab4f532ebcbb43a362f274866bf342c3896fa52d56659daca5daa9eb65
SSDEEP

24576:NdjoqRpEnFJoYgKyWGjg5Y0SNS/tSgVNkBI2KCcaxazM9jlVQ8l4PbmFCMX1/QQS:I7RGq

Score

10^/10

strela stealer

Malware Config

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation wscript.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5036 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	wscript.exe

pid	process
5036	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

wscript.execmd.exe

description	pid	process	target process
PID 3216 wrote to memory of 1300	3216	wscript.exe	cmd.exe
PID 3216 wrote to memory of 1300	3216	wscript.exe	cmd.exe
PID 1300 wrote to memory of 2096	1300	cmd.exe	findstr.exe
PID 1300 wrote to memory of 2096	1300	cmd.exe	findstr.exe
PID 1300 wrote to memory of 5032	1300	cmd.exe	certutil.exe
PID 1300 wrote to memory of 5032	1300	cmd.exe	certutil.exe
PID 1300 wrote to memory of 5036	1300	cmd.exe	rundll32.exe
PID 1300 wrote to memory of 5036	1300	cmd.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js" "C:\Users\Admin\\womanlypoor.bat" && "C:\Users\Admin\\womanlypoor.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\system32\findstr.exe
findstr /V mellowfemale ""C:\Users\Admin\\womanlypoor.bat""
3⤵
PID:2096

C:\Windows\system32\certutil.exe
certutil -f -decode comfortablesteer scorchapparatus.dll
3⤵
PID:5032

C:\Windows\system32\rundll32.exe
rundll32 scorchapparatus.dll,main
3⤵
- Loads dropped DLL
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\comfortablesteer

Filesize
1.7MB

MD5
7a91573a5cb5b3d5e556a73b941e7a61

SHA1
a5706eda70203aa7c94cf5b64ef85fdaed911042

SHA256
6a77f1e14cdd5f82663142d6fe336352214711430ab2cc927400478bd0bb3a0c

SHA512
d2ec3667f14e89966ef1f7fc8b84d4e9832a1ed97c610de7a076d3ba9bb69af12e7815b0fde544e77ee36b7b1a52f6522122173798a6630c0f82263970e7e98b

Download Submit
C:\Users\Admin\scorchapparatus.dll

Filesize
1.3MB

MD5
7d19af9fe28f09457ea7298f66209d87

SHA1
df12676dd52ebb819f80e4bf8d065b4a2052fa25

SHA256
8c02f8457ae523721015fef6ee912fa55bda6251498f93a5d3c35cbddf34ac6a

SHA512
c336122f9a37e5e3c23ee7a2278e01b70fd09280110e62617546014cf0ea48647b231bbfb82854b98f194cea6f59f8c79c531c0b34f7d6001fa2c15d43b865fc

Download Submit
C:\Users\Admin\womanlypoor.bat

Filesize
1.7MB

MD5
5691f001d9a83639c5f6fed3e999e090

SHA1
2ba3ef2e2cca6dfdf154b0565901b4da5833cab9

SHA256
7780f61445e2a2ca907d5f1292a02da7753c8959902ea54b1e4bc5bdb655d95e

SHA512
9a3188340367feab9734c183a7c43cc98a7de149ecfe3bff27e73de717d9826aa5eab1ab4f532ebcbb43a362f274866bf342c3896fa52d56659daca5daa9eb65

Download Submit
memory/5036-1776-0x00007FFECC670000-0x00007FFECC7BA000-memory.dmp

Filesize
1.3MB

Download
memory/5036-1777-0x0000023E11A60000-0x0000023E11A83000-memory.dmp

Filesize
140KB

Download