Malware Analysis Report

2025-01-18 09:31

Sample ID 240205-f7eh6adffp
Target quisisana-ag.zip
SHA256 85e86cbf51a56f65c49fc944cf1feb52a6d016ebbec2c03d98729fad831f8369
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85e86cbf51a56f65c49fc944cf1feb52a6d016ebbec2c03d98729fad831f8369

Threat Level: Known bad

The file quisisana-ag.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-05 05:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-05 05:30

Reported

2024-02-05 05:33

Platform

win7-20231215-en

Max time kernel

117s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\427_20110203210461.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\427_20110203210461.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\427_20110203210461.js" "C:\Users\Admin\\flameremind.bat" && "C:\Users\Admin\\flameremind.bat"

C:\Windows\system32\findstr.exe

findstr /V militaryaberrant ""C:\Users\Admin\\flameremind.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode shutlowly milkceaseless.dll

C:\Windows\system32\rundll32.exe

rundll32 milkceaseless.dll,main

Network

N/A

Files

C:\Users\Admin\flameremind.bat

MD5 23e3d1c59762530754a13de33a3c9de4
SHA1 91b7454b6f762c1ae9e960f86c0e6007dd5493f4
SHA256 69ba403c7495335c0782d71dd81ba72cb95b1ded180221700c23a3529ef75ebf
SHA512 9c0d36b360d8ec45e85b2aec5f2a19c3439be685a74fe7942ca72351fd585637d0c1bcfe99df82d5dd22561de0dc220e4ab45e97f2c493b75cd331f46d347f4a

C:\Users\Admin\flameremind.bat

MD5 e911a2f692abe9095b0cb632b3f761b8
SHA1 d0e8543020d1dd42468feb2f2aaba71008af627b
SHA256 ad9b42c8db2d1988f385b01e94efc3b65cc82244d61b50569e36a60b7b90422b
SHA512 b087e6e4bb3cfef63504abb78ba694c9f50b8afb08e822f3db6523b6f455350e68e00ee1cad122ef4b9095f76bbad01f0ff8735d37555035d16c7ce72a768d4d

C:\Users\Admin\shutlowly

MD5 8be4924245711855ab5408272a9b774d
SHA1 32d519c63793bf2e679e20851e61f2536da20f66
SHA256 4fdad29ba1a770bf1e3a2364ba6a878d1337d90bf7d8a5a6a69ced75ca17ad5b
SHA512 a14b0844643c3ac767221d833f4fdcb9970f7b02e41d6d2463a58fd1f4bdce21452bb039e1590ee59373a161b88175b6c93aea993b791fe6b0cd66d144629308

C:\Users\Admin\milkceaseless.dll

MD5 a60bad8b6f3e947faa66ad0d05bcfa1c
SHA1 28b915487acf9afdf629680d46bc788f2a12854b
SHA256 be3a424a3953660e72d10020220db88a5053612d89a049c36510f958a2f32761
SHA512 1a8968367e08eb743206bbdcdbab0629510de1dd55e07c8ec1366fdfbdfc49aba722d4995d8b0f49c18ad83411a616bf6c333df69801f3f8a10e92ed71d138bd

\Users\Admin\milkceaseless.dll

MD5 494197a7585ef5c2aa3f364e0fc8aa67
SHA1 f5d049f21b0780ecaf8fd510577fcb48de1307ab
SHA256 ced69f077b3de5a505ea0e00abf0d856ff7d1ebf59c692a3a6db07dc83bf2ec7
SHA512 fa47aa5dbe45a85a91c07f81fa25ecdae70d70e217e7888a70c6e5b778714d159bbe5f4716e865171d6337c20e2c4b032a090c0f8b367c18def80560d12f74a9

\Users\Admin\milkceaseless.dll

MD5 fdb1671d16c81a3b18c1838487d12d27
SHA1 24e2cb27154d6769cf9df09a6576ef86a1667329
SHA256 5245c32682f10b060a4bdc58d044a706bb57bea4bbc9e26a34ae0f8df8ce007f
SHA512 d06b6724a8e9deca5d9eeb716781f86467b3aeacaad7a99bbdd39c4de9663b30b55a0bd36953af95d9e0e2e797a9fb71b5fd40cd1fc6338633eb0d36b3cf61b0

\Users\Admin\milkceaseless.dll

MD5 4eb7cf3e1f56d09d603f9a7a73a10bdc
SHA1 2be709456cecf896a003c0dd64f805c134420658
SHA256 f02f35a8a2350ee2894659a1381fca982c87ce01bb75ba6c50f5667ca0482c5a
SHA512 019be6be0ab9446912a63b925c8cf8eb1cde03e8b2d434b382c9d51797a8206f50750f3d2312e7e71660401454dbeb35c00a6a18268af08166db05579cb8d5a5

\Users\Admin\milkceaseless.dll

MD5 c96181bef9139396fa381e85c586acc2
SHA1 442408c9ff3e709a14563099e81c94912d06b7e9
SHA256 e4e038bbd7c91c6acc2c01f5d3b5a150311df0b517526c230d4305fc95e2d0ba
SHA512 e8c384a3aeb55da003c68fdc0c45924215ebdd752ef76dee709234f02f52f31b994a78704e049d83068402ce36dd26ae819d185e010fead09638e8a342323708

memory/2628-1608-0x000007FEF6640000-0x000007FEF677B000-memory.dmp

memory/2628-1609-0x0000000000100000-0x0000000000123000-memory.dmp

memory/2628-1610-0x0000000000100000-0x0000000000123000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-05 05:30

Reported

2024-02-05 05:33

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

146s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\427_20110203210461.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 4504 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 5116 wrote to memory of 4504 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4504 wrote to memory of 4380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4504 wrote to memory of 4380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4504 wrote to memory of 1104 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4504 wrote to memory of 1104 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4504 wrote to memory of 1248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4504 wrote to memory of 1248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\427_20110203210461.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\427_20110203210461.js" "C:\Users\Admin\\flameremind.bat" && "C:\Users\Admin\\flameremind.bat"

C:\Windows\system32\findstr.exe

findstr /V militaryaberrant ""C:\Users\Admin\\flameremind.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode shutlowly milkceaseless.dll

C:\Windows\system32\rundll32.exe

rundll32 milkceaseless.dll,main

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\flameremind.bat

MD5 10f717ce253ee3e98895e910cd1f54e6
SHA1 b0621dc49ace0ae59a7e85550d6ba21f7731dc94
SHA256 f9f06fcc5c05a1bcc109b6e3dd0cb304a73b950da917f7667a0a69657968ef26
SHA512 27c4024f18e36ed0cd0ffab2b2b3beab7ec6f29af0815b9e2cee60f91556d89099408a6f3b8e9f35803f031232c10f3debfaf80deec8f66717b0aa774233cce7

C:\Users\Admin\flameremind.bat

MD5 e911a2f692abe9095b0cb632b3f761b8
SHA1 d0e8543020d1dd42468feb2f2aaba71008af627b
SHA256 ad9b42c8db2d1988f385b01e94efc3b65cc82244d61b50569e36a60b7b90422b
SHA512 b087e6e4bb3cfef63504abb78ba694c9f50b8afb08e822f3db6523b6f455350e68e00ee1cad122ef4b9095f76bbad01f0ff8735d37555035d16c7ce72a768d4d

C:\Users\Admin\shutlowly

MD5 d5ce23eb86f617ee28db6ee857d93981
SHA1 c43e13becee8edf2726723c45da7c7860970d9a0
SHA256 44f7a8fdc85eeb71429c920f5d51a7f5ffee8baed7a2ac61c8118a53bd5cf68a
SHA512 f5ef886b6804a048d094920223fef6e9ab41799f25fdb9f583912a2935a3d731041d95b98dbb7ca87c61c0bf8d3b1023807b76b11065dbc06e5720d7331205b4

C:\Users\Admin\milkceaseless.dll

MD5 62caff9bfcfed849b27631a054ef3a68
SHA1 9e082e5f78579234c74165724aa31dcca751d906
SHA256 795f66526b90a375190736a674ddebb41bc1c36b73604b76117e7224227b8544
SHA512 513ece2bd027cbd1151db685ee991403b686ea81ecada264c7b6b5ce5944023fadae9f82860bdf4bea2682862441d4a906a971998af75519493a4481b9e8440a

C:\Users\Admin\milkceaseless.dll

MD5 dbc4929c48a2032bfe221a9fdf857fd7
SHA1 0c31b0dff201a14c87dc18d16f0bcbe07936ea6e
SHA256 c4e1fd1d49ee899512ad4d38a722e6020e99cee8e68eef7196849911dd102214
SHA512 e2c99b14386548520ea6e413bf7cbd52fe65c186f273e08c727de9760ce9aaaabeca8eacdfcd1bf0e16a4200cd94a585780c10081670d82db097db6bb64801e7

memory/1248-1605-0x00007FFB92B70000-0x00007FFB92CAB000-memory.dmp

memory/1248-1606-0x000001BCA3F50000-0x000001BCA3F73000-memory.dmp