Malware Analysis Report

2025-01-18 09:31

Sample ID 240204-se8yhsefgp
Target 04022024_2303_02022024_tshirtstore.zip
SHA256 e8caf52bbaedb485fcfe0a3b3e9aa5cc5ae3bec03f1d348c5b15075d4e67ea9a
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8caf52bbaedb485fcfe0a3b3e9aa5cc5ae3bec03f1d348c5b15075d4e67ea9a

Threat Level: Known bad

The file 04022024_2303_02022024_tshirtstore.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 15:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 15:03

Reported

2024-02-04 15:06

Platform

win7-20231215-en

Max time kernel

118s

Max time network

119s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js" "C:\Users\Admin\\womanlypoor.bat" && "C:\Users\Admin\\womanlypoor.bat"

C:\Windows\system32\findstr.exe

findstr /V mellowfemale ""C:\Users\Admin\\womanlypoor.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode comfortablesteer scorchapparatus.dll

C:\Windows\system32\rundll32.exe

rundll32 scorchapparatus.dll,main

Network

N/A

Files

C:\Users\Admin\womanlypoor.bat

MD5 5691f001d9a83639c5f6fed3e999e090
SHA1 2ba3ef2e2cca6dfdf154b0565901b4da5833cab9
SHA256 7780f61445e2a2ca907d5f1292a02da7753c8959902ea54b1e4bc5bdb655d95e
SHA512 9a3188340367feab9734c183a7c43cc98a7de149ecfe3bff27e73de717d9826aa5eab1ab4f532ebcbb43a362f274866bf342c3896fa52d56659daca5daa9eb65

C:\Users\Admin\womanlypoor.bat

MD5 86feb3958edd3359028fb58fb342b956
SHA1 7cdc2415951d668cc81a2145ccd16e8ca9bb625f
SHA256 cc361c51487d162c04329d6d4bcffc0d3b2e0f2d5bb17ff41c7ac59dfd81cf17
SHA512 94d801679279f385193b880c7f7466c1653ee073a9e164fe727e9b88d07408161c4a097c891d123932fdcec2dbc2205a8787384face85e585fda483498d210aa

C:\Users\Admin\comfortablesteer

MD5 85c5984b1c3e85af87341c9849e6e414
SHA1 f290180076dcaba1dbfa649e359f479ca68bc2db
SHA256 886c894b9f537531ac52bab36464ae8f5bb3358a89984a3f02fddc6b7445b306
SHA512 f11e3405b58a935d30a0395c758ade37c641419bc5b443daedba769f31e3e688c0235a41309d1e0e321d7d79c0176493e47f9d9991eb947e0a4d84fef069d165

\Users\Admin\scorchapparatus.dll

MD5 32fe5e6e9827b4e8286f876360a41959
SHA1 1b23dcc78e51b7c87d634a4ceee61d92180ac769
SHA256 ef54d38aa8a68214d5d9f2ea9a20e3d877f9be8d94bfb36f01dc9c38bcc3a708
SHA512 65a6babc7f57bf139d61c4834abc8d6d23a4969b1086a86a8e250d783304838225a32301b4166bc1dcd23086a66d514e1ee316ce25d504f85c03d2a7713d50de

\Users\Admin\scorchapparatus.dll

MD5 c5c1b3015e1feb0176b3123d0ab80e02
SHA1 e57b5efbf81602105a582f82bf250cc8ebdbba58
SHA256 f325fa4313c0db43df400fba1a99c129dd3d46ce3ac94cffba04f1703096e7fe
SHA512 a76d1a9254a77428f87b59a5ce5f71a39ddd8b61a7e54ff65211cd5fd6510c33433f085bba35a0d154005fb8dafb63ef513a56674540c7b1bc063915aa1e0ebb

\Users\Admin\scorchapparatus.dll

MD5 d9efaa2e2292c8255074099bc4db605a
SHA1 584464ab51dd13b5942e405d94f95edc0cc224ec
SHA256 1e36b0d2a4cf63f7729700d16cec4478fef537a0ebdb4b30e6634db8ae651385
SHA512 c380b9ef68154b28b8e806e8a84b55414057621a5fcaf13f4d5a957eb7f235afb17b565e70640bf8d5c67f6a69d411aa32a76c97a551ae88c69d8ea682635ca1

\Users\Admin\scorchapparatus.dll

MD5 c8fd979ac8a4fa4d9c48896b5cdb8c98
SHA1 7a0112c6e52ab0ce87e056a7039eaafb6729de5b
SHA256 1a5e43ce2aa335d0819a04fe9fc3f0e030bcb6266826785cecdff0b1fc47b238
SHA512 5ff9a29ea3586473283008918d1f17040e6b7f12872bb8012e795518f15d6c8d49c7dff43074ab633598d4e917773ae2fd8ea371ef2b009cf2b2874bc40af44c

C:\Users\Admin\scorchapparatus.dll

MD5 66ab7d46797406c3e66099d060e7ba6f
SHA1 329a7eecefbd5f5f138a7ca51593fcb81467d928
SHA256 fa67fcbf0cc99749ce84cc5730f81304c2f8042b6e1ae13fb47fe0b535310a00
SHA512 81488283aadb5ad93569ae78da3094ded001087df76b22fa744d5c10acff465d83e5222128546fa46fe6c2616ee60a8f345d7bd7c5c939a165b3f798b9df4d3e

memory/2072-1779-0x000007FEF68D0000-0x000007FEF6A1A000-memory.dmp

memory/2072-1780-0x0000000000680000-0x00000000006A3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 15:03

Reported

2024-02-04 15:06

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

145s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 1300 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3216 wrote to memory of 1300 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1300 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1300 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1300 wrote to memory of 5032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1300 wrote to memory of 5032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1300 wrote to memory of 5036 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1300 wrote to memory of 5036 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\4035_4414671332562.js" "C:\Users\Admin\\womanlypoor.bat" && "C:\Users\Admin\\womanlypoor.bat"

C:\Windows\system32\findstr.exe

findstr /V mellowfemale ""C:\Users\Admin\\womanlypoor.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode comfortablesteer scorchapparatus.dll

C:\Windows\system32\rundll32.exe

rundll32 scorchapparatus.dll,main

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

C:\Users\Admin\womanlypoor.bat

MD5 5691f001d9a83639c5f6fed3e999e090
SHA1 2ba3ef2e2cca6dfdf154b0565901b4da5833cab9
SHA256 7780f61445e2a2ca907d5f1292a02da7753c8959902ea54b1e4bc5bdb655d95e
SHA512 9a3188340367feab9734c183a7c43cc98a7de149ecfe3bff27e73de717d9826aa5eab1ab4f532ebcbb43a362f274866bf342c3896fa52d56659daca5daa9eb65

C:\Users\Admin\comfortablesteer

MD5 7a91573a5cb5b3d5e556a73b941e7a61
SHA1 a5706eda70203aa7c94cf5b64ef85fdaed911042
SHA256 6a77f1e14cdd5f82663142d6fe336352214711430ab2cc927400478bd0bb3a0c
SHA512 d2ec3667f14e89966ef1f7fc8b84d4e9832a1ed97c610de7a076d3ba9bb69af12e7815b0fde544e77ee36b7b1a52f6522122173798a6630c0f82263970e7e98b

C:\Users\Admin\scorchapparatus.dll

MD5 7d19af9fe28f09457ea7298f66209d87
SHA1 df12676dd52ebb819f80e4bf8d065b4a2052fa25
SHA256 8c02f8457ae523721015fef6ee912fa55bda6251498f93a5d3c35cbddf34ac6a
SHA512 c336122f9a37e5e3c23ee7a2278e01b70fd09280110e62617546014cf0ea48647b231bbfb82854b98f194cea6f59f8c79c531c0b34f7d6001fa2c15d43b865fc

memory/5036-1776-0x00007FFECC670000-0x00007FFECC7BA000-memory.dmp

memory/5036-1777-0x0000023E11A60000-0x0000023E11A83000-memory.dmp