Malware Analysis Report

2025-01-18 09:31

Sample ID 240206-veee1sbeb4
Target quisisana-ag.zip
SHA256 8ca6dc7fcf25e0e7d4a521d35ec27d08fd5b2832f06f2aa32b52b36b69f47c8c
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ca6dc7fcf25e0e7d4a521d35ec27d08fd5b2832f06f2aa32b52b36b69f47c8c

Threat Level: Known bad

The file quisisana-ag.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 16:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 16:53

Reported

2024-02-06 16:56

Platform

win7-20231215-en

Max time kernel

122s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2624 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 2624 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 2624 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2624 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2624 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2624 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2624 wrote to memory of 1920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2624 wrote to memory of 1920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2624 wrote to memory of 1920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2624 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1928 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1928 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js" "C:\Users\Admin\\yelltame.bat" && "C:\Users\Admin\\yelltame.bat"

C:\Windows\system32\findstr.exe

findstr /V complexsugar ""C:\Users\Admin\\yelltame.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode cherryargument high-pitchedhandsomely.dll

C:\Windows\system32\cmd.exe

cmd /C rundll32 high-pitchedhandsomely.dll,main

C:\Windows\system32\rundll32.exe

rundll32 high-pitchedhandsomely.dll,main

Network

N/A

Files

C:\Users\Admin\yelltame.bat

MD5 9d68a860c54584dd2d52f465160ee6ad
SHA1 42270d711512467421fd9f15530a70476f383172
SHA256 cf66b2a95512490b690794f70d6c847aa8047bee3975c1eb46a7a892f74b9cff
SHA512 352838f21a3664f308327c3e9e7f318d3af3480f0fcf952c2ae9cbd647826baf29274db0545822ff13365271ae2638f3a7b662caf40744b14cf6502abbad0539

C:\Users\Admin\cherryargument

MD5 e0ab76e2f14e9a8d3314f0d88924c318
SHA1 debed77dc28f418fa1d4d3c76d11f543cd75ce73
SHA256 ea11fda572f1131a0e002d3475324411aee6c8760ac69e7118f13170521913ca
SHA512 e978e6f237aff763f8a87f6fc81c6f82bd98afdf210c3f4d2fa88df06ac0d2d421cbbc845d40ff2441a725d0392ecc8e0d0daeac48d49cad6d3cf5a1c08d91ac

C:\Users\Admin\high-pitchedhandsomely.dll

MD5 7510774ef92e9c6a391b92a0bd3f408b
SHA1 741652f31e83c6ed6908ed4e0cfc46f79451d985
SHA256 4254817a71122bb75a09cfa918c3a5c8fac4b44c2073cb5f62f25931531c739c
SHA512 a5a6a058975bdef39be187104895be1656ee8547abd9cdbe0713cf4f7a7f92e5f5c901edf7ba4dd18bd6a9e65631e64f73a681ab3563f8eed00381c257b32264

memory/1952-201-0x000007FEF76D0000-0x000007FEF7711000-memory.dmp

memory/1952-202-0x0000000000110000-0x0000000000133000-memory.dmp

memory/1952-203-0x0000000000110000-0x0000000000133000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 16:53

Reported

2024-02-06 16:56

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3180 wrote to memory of 4608 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3180 wrote to memory of 4608 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4608 wrote to memory of 740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4608 wrote to memory of 740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4608 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4608 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4608 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4608 wrote to memory of 2512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2512 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js" "C:\Users\Admin\\yelltame.bat" && "C:\Users\Admin\\yelltame.bat"

C:\Windows\system32\findstr.exe

findstr /V complexsugar ""C:\Users\Admin\\yelltame.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode cherryargument high-pitchedhandsomely.dll

C:\Windows\system32\cmd.exe

cmd /C rundll32 high-pitchedhandsomely.dll,main

C:\Windows\system32\rundll32.exe

rundll32 high-pitchedhandsomely.dll,main

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\yelltame.bat

MD5 9d68a860c54584dd2d52f465160ee6ad
SHA1 42270d711512467421fd9f15530a70476f383172
SHA256 cf66b2a95512490b690794f70d6c847aa8047bee3975c1eb46a7a892f74b9cff
SHA512 352838f21a3664f308327c3e9e7f318d3af3480f0fcf952c2ae9cbd647826baf29274db0545822ff13365271ae2638f3a7b662caf40744b14cf6502abbad0539

C:\Users\Admin\cherryargument

MD5 e0ab76e2f14e9a8d3314f0d88924c318
SHA1 debed77dc28f418fa1d4d3c76d11f543cd75ce73
SHA256 ea11fda572f1131a0e002d3475324411aee6c8760ac69e7118f13170521913ca
SHA512 e978e6f237aff763f8a87f6fc81c6f82bd98afdf210c3f4d2fa88df06ac0d2d421cbbc845d40ff2441a725d0392ecc8e0d0daeac48d49cad6d3cf5a1c08d91ac

C:\Users\Admin\high-pitchedhandsomely.dll

MD5 7510774ef92e9c6a391b92a0bd3f408b
SHA1 741652f31e83c6ed6908ed4e0cfc46f79451d985
SHA256 4254817a71122bb75a09cfa918c3a5c8fac4b44c2073cb5f62f25931531c739c
SHA512 a5a6a058975bdef39be187104895be1656ee8547abd9cdbe0713cf4f7a7f92e5f5c901edf7ba4dd18bd6a9e65631e64f73a681ab3563f8eed00381c257b32264

memory/4820-198-0x00007FFED12E0000-0x00007FFED1321000-memory.dmp

memory/4820-199-0x000002A53F2B0000-0x000002A53F2D3000-memory.dmp