Malware Analysis Report

2025-01-18 09:30

Sample ID 240216-phrlvsbb53
Target 9573_21597333807.js
SHA256 d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a

Threat Level: Known bad

The file 9573_21597333807.js was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-16 12:20

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 12:20

Reported

2024-02-16 12:22

Platform

win10v2004-20231215-en

Max time kernel

113s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\9573_21597333807.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 1508 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1064 wrote to memory of 1508 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1508 wrote to memory of 4180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\fc.exe
PID 1508 wrote to memory of 4180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\fc.exe
PID 1508 wrote to memory of 5064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1508 wrote to memory of 5064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1508 wrote to memory of 756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1508 wrote to memory of 756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1508 wrote to memory of 748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1508 wrote to memory of 748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\9573_21597333807.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\9573_21597333807.js" "C:\Users\Admin\\calculatingmomentous.bat" && "C:\Users\Admin\\calculatingmomentous.bat"

C:\Windows\system32\fc.exe

fC /T4eeVbmZfDnqfE6altiBwHwxa65U9VwYvU8GACmozE1T+mx9zNgllyagqUQAXZdO4MUE/D0TLrxhcEShk0LMrRAQPdduJL0cMA3aenydMBypmg7UeZw8NWayoKmw2I2WyqixTBCxlo5MLch82SrObIVI4NHG/jG8zbpifp6eov6SXv4C0oo6BtqM7A3x52F5SWHJmNh0KxZoT1KkC1Lavyj8BvY6ni7a+oxslTkPfSENOaFpAVXc0YKElXZdpYg9dnjLslGoK/KZptLx0LEYl+LUx0aqCZ12kcXdPXgR2cGAz4IEydowd56sXm7Z8FTFEQGqNWDoWGjohBQdWTNlhWm54Rn9HA2NET2ZdajZ1knBfAHGNK+SQ3EVea21UOj9IQjM/f38CeCppaChTEzuAt09hCgtdThIOQn8tVl5DVRV6SFV1LldrexNcbEk/f3RhTmpDBc9uWhxsB/OAAWp6qDXukjm4u3cEciUpYX3CeWZCRXp2fl838IpITVZGcimFjD6xEd+dcAh/YlNTdHphi5yRnLewt5GpsBk4XWfNXk9zRXM2CjLlghjYgTT0lpjAJTGxg5alibKuLglMcMxmf2xFYm9VbxNssRtYjkJfF1ODCfmFTDfekXe4ulwRWwvOjxHZrLxtSK9ReXhpKn15WhfDrANPrAjupyajqHQqKE91UqVbACQLGzs+AG5/7X1QSVlCRno/bUhCSkljF0OwSHIpVK8E6IHSbWhNYGE4KEdaJiBJbSNiLmpyFFAgJoS7cUAhH39SLjhIYwJaU1d9EFdbQWsBXU9yBF1VezxNf1NYb1Ya9VdPGmAPz4QFbkS9HtGsJYmSYzRfKxVUZNpiQ1BAfE5zfxPTmU9cTndxMY2MKook3o5CNFlzbkpvSGqcvJaWtHx5Qkmzi6WEHHxVWENuR8Msd1K7NFZMfquhpKvaTnB8k6SrKMwbQG4S5SFXcwPxCUVzBCn9sGcT2KnVtrO1fGJOKW2mBPaqNtm4HHgI43IF5Y4k7vOma0lpAkuXJE9BYS5BK/CceQh8qC+LeqMY+Qd7QwrgJ

C:\Windows\system32\findstr.exe

findstr /V airpuny ""C:\Users\Admin\\calculatingmomentous.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode condemnedtoothsome crosssugar.dll

C:\Windows\system32\rundll32.exe

rundll32 crosssugar.dll,main

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 40.42.53.23.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

C:\Users\Admin\calculatingmomentous.bat

MD5 8b5f798bc01985c75d37510670f046b8
SHA1 dc65db3178e9089186160059399ee85cb61e487e
SHA256 d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a
SHA512 5bd7e9da95587597e1f78cc8e4ac2fcd4fbca281116097b20ac4a5bc579d2ddfc6cb6c678f12f27c621616bc9819be8ae9dd91169a483c7ffa5ce6c8e3dc5312

C:\Users\Admin\condemnedtoothsome

MD5 a0fefffb0db449a46b243012f1beb383
SHA1 d6fff628baafed3dff7d2e19c78036b7cd0ea41d
SHA256 faf1adbc627a95eb5879f5ecc6768db7892e11f466304420db9200bf32032e05
SHA512 b6d29a56b19e20868ea56b381c53f49e8111d190edaa17ad8c91e4d4eeeb9ab74e1f92df886ea4e3078f014509c08d1301f3a3f590a2af53beab573a117604be

C:\Users\Admin\crosssugar.dll

MD5 1d9e331af631be2b1d5f6e5816afddd0
SHA1 b8d9864f1c15f4692cde377f4f63804a68f3b7d1
SHA256 34eec1db863d20eeba7568a74b64ddc2c6510762c6ff59a4a00e3d5a70d68fa7
SHA512 771ab41d4d361a000d0a76077098a7d8e63d6375d1dfdedf9e916508a8a5455260e839439babbf6e2500581c0e65b21eb22649e1b8c8db467603229c3c001ab0

memory/748-1827-0x00007FFDEEE80000-0x00007FFDEEFE2000-memory.dmp

memory/748-1828-0x000001F502C70000-0x000001F502C93000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 12:20

Reported

2024-02-16 12:22

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\9573_21597333807.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 2116 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1588 wrote to memory of 2116 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1588 wrote to memory of 2116 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2116 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\fc.exe
PID 2116 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\fc.exe
PID 2116 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\fc.exe
PID 2116 wrote to memory of 2916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2116 wrote to memory of 2916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2116 wrote to memory of 2916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2116 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2116 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2116 wrote to memory of 2912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2116 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2116 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2116 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\9573_21597333807.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\9573_21597333807.js" "C:\Users\Admin\\calculatingmomentous.bat" && "C:\Users\Admin\\calculatingmomentous.bat"

C:\Windows\system32\fc.exe

fC /T4eeVbmZfDnqfE6altiBwHwxa65U9VwYvU8GACmozE1T+mx9zNgllyagqUQAXZdO4MUE/D0TLrxhcEShk0LMrRAQPdduJL0cMA3aenydMBypmg7UeZw8NWayoKmw2I2WyqixTBCxlo5MLch82SrObIVI4NHG/jG8zbpifp6eov6SXv4C0oo6BtqM7A3x52F5SWHJmNh0KxZoT1KkC1Lavyj8BvY6ni7a+oxslTkPfSENOaFpAVXc0YKElXZdpYg9dnjLslGoK/KZptLx0LEYl+LUx0aqCZ12kcXdPXgR2cGAz4IEydowd56sXm7Z8FTFEQGqNWDoWGjohBQdWTNlhWm54Rn9HA2NET2ZdajZ1knBfAHGNK+SQ3EVea21UOj9IQjM/f38CeCppaChTEzuAt09hCgtdThIOQn8tVl5DVRV6SFV1LldrexNcbEk/f3RhTmpDBc9uWhxsB/OAAWp6qDXukjm4u3cEciUpYX3CeWZCRXp2fl838IpITVZGcimFjD6xEd+dcAh/YlNTdHphi5yRnLewt5GpsBk4XWfNXk9zRXM2CjLlghjYgTT0lpjAJTGxg5alibKuLglMcMxmf2xFYm9VbxNssRtYjkJfF1ODCfmFTDfekXe4ulwRWwvOjxHZrLxtSK9ReXhpKn15WhfDrANPrAjupyajqHQqKE91UqVbACQLGzs+AG5/7X1QSVlCRno/bUhCSkljF0OwSHIpVK8E6IHSbWhNYGE4KEdaJiBJbSNiLmpyFFAgJoS7cUAhH39SLjhIYwJaU1d9EFdbQWsBXU9yBF1VezxNf1NYb1Ya9VdPGmAPz4QFbkS9HtGsJYmSYzRfKxVUZNpiQ1BAfE5zfxPTmU9cTndxMY2MKook3o5CNFlzbkpvSGqcvJaWtHx5Qkmzi6WEHHxVWENuR8Msd1K7NFZMfquhpKvaTnB8k6SrKMwbQG4S5SFXcwPxCUVzBCn9sGcT2KnVtrO1fGJOKW2mBPaqNtm4HHgI43IF5Y4k7vOma0lpAkuXJE9BYS5BK/CceQh8qC+LeqMY+Qd7QwrgJ

C:\Windows\system32\findstr.exe

findstr /V airpuny ""C:\Users\Admin\\calculatingmomentous.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode condemnedtoothsome crosssugar.dll

C:\Windows\system32\rundll32.exe

rundll32 crosssugar.dll,main

Network

N/A

Files

C:\Users\Admin\calculatingmomentous.bat

MD5 8b5f798bc01985c75d37510670f046b8
SHA1 dc65db3178e9089186160059399ee85cb61e487e
SHA256 d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a
SHA512 5bd7e9da95587597e1f78cc8e4ac2fcd4fbca281116097b20ac4a5bc579d2ddfc6cb6c678f12f27c621616bc9819be8ae9dd91169a483c7ffa5ce6c8e3dc5312

C:\Users\Admin\condemnedtoothsome

MD5 caf6d560e252a1601dc3bb992073039a
SHA1 d14ec102c1441bda3f7a6e1de30030c4695c5d38
SHA256 14f87de587dfce8b8a98e18dcc4bc4d06b9033a2acb9b2e96f720d486619e4c6
SHA512 2592c5128f32a6ec7933b2d32988297787bf33f0e0e2a099cd613dbd1e2a230c6164ba635a6f7a42b02784d1b74ea8d4c9eff9a1678b317e1f6135ba49f259f9

C:\Users\Admin\crosssugar.dll

MD5 7990c3fa865ee39c49202072252ca655
SHA1 a885964fe5fa91cbd3bdb25c326b6dc0c9c4cb91
SHA256 ea8e6e9a3a5afac812b17a604732059a16708998d8aa95e8a448cdc7af43c0ec
SHA512 bce024ee02ddac3dbe76f35475c389c98c1e43506d013c56d942f840f1a6626549fcd4a04bce4bbc363c1fe4d49250bf8528252349bce59b9732214d80f255a1

\Users\Admin\crosssugar.dll

MD5 c8918a648ad7a400ac154e72c0b853af
SHA1 1e8974c6fb779cef1f17d853c7d2e728eb69e999
SHA256 246d908acc169572d8b49f4ca8ba6aed4555460223ce1c5e1bdf954fa643b1c9
SHA512 662d2cb51b08a5bf0aab231fb121db6b06d0623a52622412b0afd8e85ccd1755f1985670647537fd683d7231c63f81c76a206e0c83964283c09481f66ef82213

\Users\Admin\crosssugar.dll

MD5 9061f244a5c994916dad2a4fb4f3fb73
SHA1 54404eb77afd6bcdb4931340930caf806b6f4d66
SHA256 ed5552cae577eb6b2b061a9de2d920de925e8e960279c52ac065e9963a4fa664
SHA512 41a68dde83b1ff9c08af725b8095edf1b8e12520927ba4934a4f71737a5ceddf9321eaca46e7143dc32e07e5a849951384e960386eb7696f7a6253ec0d94567f

\Users\Admin\crosssugar.dll

MD5 019cb1b75abe207211926b8e5295ca11
SHA1 754c6dd9daf75a552ff127fca038c0c96c513d6b
SHA256 8257196b706fe5e0d62e01be25c71012aad3083123ea1ab34b9abd763567969d
SHA512 cb99b35147fb9352d9bda65b2e3f6376588df27817e0a07dbc1d56934e1d84b83484bebeace6a10bedbf915a2ae388424d89604b0bb3a8aad3edf9e0827920e7

\Users\Admin\crosssugar.dll

MD5 27572f381e987fddab6c88c2da0244db
SHA1 aa05fed505c581211fe32e94bd9591721fbe4e4a
SHA256 1f1b67c8121089afcf29f7c90e8ae7a2c13dff045224b335a618ccbfab3eab0a
SHA512 9aee2cf7aae804c3bccc964b5ad2ec7a0d152ede7bdaf1cce7605d8d3a62a439ac4b0a5b3a17ab9d1f46053b884ebc4ebcbac11c52d4eb30761e1c66196aa74e

memory/2192-1831-0x0000000000210000-0x0000000000233000-memory.dmp

memory/2192-1830-0x000007FEF65A0000-0x000007FEF6702000-memory.dmp