Malware Analysis Report

2025-01-18 09:30

Sample ID 240208-rm4s4aed31
Target 08022024_2219_06022024_krieger-schramm.zip
SHA256 41e60d8e1802d173e24b105ca79af2d2f075d9909565a82fd4f5c8db2b7ed970
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41e60d8e1802d173e24b105ca79af2d2f075d9909565a82fd4f5c8db2b7ed970

Threat Level: Known bad

The file 08022024_2219_06022024_krieger-schramm.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-08 14:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 14:19

Reported

2024-02-08 14:22

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\21421687800828945.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2096 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3040 wrote to memory of 2096 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3040 wrote to memory of 2096 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2096 wrote to memory of 932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2096 wrote to memory of 932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2096 wrote to memory of 932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2096 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2096 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2096 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2096 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1712 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1712 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\21421687800828945.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\21421687800828945.js" "C:\Users\Admin\\creamjudicious.bat" && "C:\Users\Admin\\creamjudicious.bat"

C:\Windows\system32\findstr.exe

findstr /V creatorerror ""C:\Users\Admin\\creamjudicious.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode bruiseagonizing abandonedcloth.dll

C:\Windows\system32\cmd.exe

cmd /C rundll32 abandonedcloth.dll,main

C:\Windows\system32\rundll32.exe

rundll32 abandonedcloth.dll,main

Network

N/A

Files

C:\Users\Admin\creamjudicious.bat

MD5 2cea45454e7fef730082be9b5ce5f37d
SHA1 b352487247c1e49bea04fae3972cc2af00bc7e23
SHA256 e7c76677638bff695482f75513f4f538ae51fe8b1f0c6d7fc5f1c3ccec8217fd
SHA512 d5407c8699377075f2a62673e50097bc04f35abc935587f4d9ca325daedccad2c2a3c3dd28a2e46c5aaae0d86a4d7ee95ebc5f46f9b602d8837b1bae8902ae1b

C:\Users\Admin\bruiseagonizing

MD5 03c4a62bb98e0b86cef66adbf8c8e5fe
SHA1 6feb2833802e38972cc43f3995489d9380383908
SHA256 7dadbcf20f871ac6bfc4738b2ef4e476e8a1069f3eddfd92d967cc8df96b9593
SHA512 14094c9ae70e7273c3c4fc2a68972eac2b52fc07b02de54536f25475a594db5f8fdefce812ac2153c6a5e732328ec3fb24e4652ddf344bdd43f8f95581512fa3

C:\Users\Admin\abandonedcloth.dll

MD5 e3126e41a0a0b7925cd6c37dfe4e1946
SHA1 777f9b13f5b4cc1d989e3b732ace0f560cb3ebb2
SHA256 75d4bd2aa84ca70747849addd5db9cd797717c21c6a87232e965e7f4def5987b
SHA512 5a6d83ffcee496b0c80dcd5ee9bfbb62ae7e9f65ed818f9059229ca42a1832d47a4647ccb8ddeae61989722288f040dd6f077107be6f1dd7c9657811c401ba8d

memory/536-176-0x0000000000100000-0x0000000000123000-memory.dmp

memory/536-175-0x000007FEF7130000-0x000007FEF7173000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 14:19

Reported

2024-02-08 14:22

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\21421687800828945.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 1568 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3524 wrote to memory of 1568 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1568 wrote to memory of 3940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1568 wrote to memory of 3940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1568 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1568 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1568 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1568 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1608 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\21421687800828945.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\21421687800828945.js" "C:\Users\Admin\\creamjudicious.bat" && "C:\Users\Admin\\creamjudicious.bat"

C:\Windows\system32\findstr.exe

findstr /V creatorerror ""C:\Users\Admin\\creamjudicious.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode bruiseagonizing abandonedcloth.dll

C:\Windows\system32\cmd.exe

cmd /C rundll32 abandonedcloth.dll,main

C:\Windows\system32\rundll32.exe

rundll32 abandonedcloth.dll,main

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\creamjudicious.bat

MD5 2cea45454e7fef730082be9b5ce5f37d
SHA1 b352487247c1e49bea04fae3972cc2af00bc7e23
SHA256 e7c76677638bff695482f75513f4f538ae51fe8b1f0c6d7fc5f1c3ccec8217fd
SHA512 d5407c8699377075f2a62673e50097bc04f35abc935587f4d9ca325daedccad2c2a3c3dd28a2e46c5aaae0d86a4d7ee95ebc5f46f9b602d8837b1bae8902ae1b

C:\Users\Admin\bruiseagonizing

MD5 03c4a62bb98e0b86cef66adbf8c8e5fe
SHA1 6feb2833802e38972cc43f3995489d9380383908
SHA256 7dadbcf20f871ac6bfc4738b2ef4e476e8a1069f3eddfd92d967cc8df96b9593
SHA512 14094c9ae70e7273c3c4fc2a68972eac2b52fc07b02de54536f25475a594db5f8fdefce812ac2153c6a5e732328ec3fb24e4652ddf344bdd43f8f95581512fa3

C:\Users\Admin\abandonedcloth.dll

MD5 e3126e41a0a0b7925cd6c37dfe4e1946
SHA1 777f9b13f5b4cc1d989e3b732ace0f560cb3ebb2
SHA256 75d4bd2aa84ca70747849addd5db9cd797717c21c6a87232e965e7f4def5987b
SHA512 5a6d83ffcee496b0c80dcd5ee9bfbb62ae7e9f65ed818f9059229ca42a1832d47a4647ccb8ddeae61989722288f040dd6f077107be6f1dd7c9657811c401ba8d

memory/4736-172-0x00007FFD70F40000-0x00007FFD70F83000-memory.dmp

memory/4736-173-0x000001F7DFAF0000-0x000001F7DFB13000-memory.dmp

memory/4736-174-0x000001F7DFAF0000-0x000001F7DFB13000-memory.dmp