strela | d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a.js
Size

1.8MB
MD5

8b5f798bc01985c75d37510670f046b8
SHA1

dc65db3178e9089186160059399ee85cb61e487e
SHA256

d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a
SHA512

5bd7e9da95587597e1f78cc8e4ac2fcd4fbca281116097b20ac4a5bc579d2ddfc6cb6c678f12f27c621616bc9819be8ae9dd91169a483c7ffa5ce6c8e3dc5312
SSDEEP

24576:SMTFh49if/ba2nHcQehtzEhlDgBQk2nQHuXeMAbdOw4riQxfeftvIaojSoOsyeSP:Vi+zI

Score

10^/10

strela stealer

Malware Config

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation wscript.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4556 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	wscript.exe

pid	process
4556	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

wscript.execmd.exe

description	pid	process	target process
PID 2780 wrote to memory of 4604	2780	wscript.exe	cmd.exe
PID 2780 wrote to memory of 4604	2780	wscript.exe	cmd.exe
PID 4604 wrote to memory of 2156	4604	cmd.exe	fc.exe
PID 4604 wrote to memory of 2156	4604	cmd.exe	fc.exe
PID 4604 wrote to memory of 1364	4604	cmd.exe	findstr.exe
PID 4604 wrote to memory of 1364	4604	cmd.exe	findstr.exe
PID 4604 wrote to memory of 1336	4604	cmd.exe	certutil.exe
PID 4604 wrote to memory of 1336	4604	cmd.exe	certutil.exe
PID 4604 wrote to memory of 4556	4604	cmd.exe	rundll32.exe
PID 4604 wrote to memory of 4556	4604	cmd.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a.js" "C:\Users\Admin\\calculatingmomentous.bat" && "C:\Users\Admin\\calculatingmomentous.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\system32\fc.exe
fC /T4eeVbmZfDnqfE6altiBwHwxa65U9VwYvU8GACmozE1T+mx9zNgllyagqUQAXZdO4MUE/D0TLrxhcEShk0LMrRAQPdduJL0cMA3aenydMBypmg7UeZw8NWayoKmw2I2WyqixTBCxlo5MLch82SrObIVI4NHG/jG8zbpifp6eov6SXv4C0oo6BtqM7A3x52F5SWHJmNh0KxZoT1KkC1Lavyj8BvY6ni7a+oxslTkPfSENOaFpAVXc0YKElXZdpYg9dnjLslGoK/KZptLx0LEYl+LUx0aqCZ12kcXdPXgR2cGAz4IEydowd56sXm7Z8FTFEQGqNWDoWGjohBQdWTNlhWm54Rn9HA2NET2ZdajZ1knBfAHGNK+SQ3EVea21UOj9IQjM/f38CeCppaChTEzuAt09hCgtdThIOQn8tVl5DVRV6SFV1LldrexNcbEk/f3RhTmpDBc9uWhxsB/OAAWp6qDXukjm4u3cEciUpYX3CeWZCRXp2fl838IpITVZGcimFjD6xEd+dcAh/YlNTdHphi5yRnLewt5GpsBk4XWfNXk9zRXM2CjLlghjYgTT0lpjAJTGxg5alibKuLglMcMxmf2xFYm9VbxNssRtYjkJfF1ODCfmFTDfekXe4ulwRWwvOjxHZrLxtSK9ReXhpKn15WhfDrANPrAjupyajqHQqKE91UqVbACQLGzs+AG5/7X1QSVlCRno/bUhCSkljF0OwSHIpVK8E6IHSbWhNYGE4KEdaJiBJbSNiLmpyFFAgJoS7cUAhH39SLjhIYwJaU1d9EFdbQWsBXU9yBF1VezxNf1NYb1Ya9VdPGmAPz4QFbkS9HtGsJYmSYzRfKxVUZNpiQ1BAfE5zfxPTmU9cTndxMY2MKook3o5CNFlzbkpvSGqcvJaWtHx5Qkmzi6WEHHxVWENuR8Msd1K7NFZMfquhpKvaTnB8k6SrKMwbQG4S5SFXcwPxCUVzBCn9sGcT2KnVtrO1fGJOKW2mBPaqNtm4HHgI43IF5Y4k7vOma0lpAkuXJE9BYS5BK/CceQh8qC+LeqMY+Qd7QwrgJ
3⤵
PID:2156

C:\Windows\system32\findstr.exe
findstr /V airpuny ""C:\Users\Admin\\calculatingmomentous.bat""
3⤵
PID:1364

C:\Windows\system32\certutil.exe
certutil -f -decode condemnedtoothsome crosssugar.dll
3⤵
PID:1336

C:\Windows\system32\rundll32.exe
rundll32 crosssugar.dll,main
3⤵
- Loads dropped DLL
PID:4556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\calculatingmomentous.bat
Filesize
1.8MB

MD5
8b5f798bc01985c75d37510670f046b8

SHA1
dc65db3178e9089186160059399ee85cb61e487e

SHA256
d910b9c7e64514dbbceb22bae74790984731877c5e45f06d9e716ae48e1b986a

SHA512
5bd7e9da95587597e1f78cc8e4ac2fcd4fbca281116097b20ac4a5bc579d2ddfc6cb6c678f12f27c621616bc9819be8ae9dd91169a483c7ffa5ce6c8e3dc5312

Download Submit
C:\Users\Admin\condemnedtoothsome
Filesize
1.8MB

MD5
a0fefffb0db449a46b243012f1beb383

SHA1
d6fff628baafed3dff7d2e19c78036b7cd0ea41d

SHA256
faf1adbc627a95eb5879f5ecc6768db7892e11f466304420db9200bf32032e05

SHA512
b6d29a56b19e20868ea56b381c53f49e8111d190edaa17ad8c91e4d4eeeb9ab74e1f92df886ea4e3078f014509c08d1301f3a3f590a2af53beab573a117604be

Download Submit
C:\Users\Admin\crosssugar.dll
Filesize
1.4MB

MD5
1d9e331af631be2b1d5f6e5816afddd0

SHA1
b8d9864f1c15f4692cde377f4f63804a68f3b7d1

SHA256
34eec1db863d20eeba7568a74b64ddc2c6510762c6ff59a4a00e3d5a70d68fa7

SHA512
771ab41d4d361a000d0a76077098a7d8e63d6375d1dfdedf9e916508a8a5455260e839439babbf6e2500581c0e65b21eb22649e1b8c8db467603229c3c001ab0

Download Submit
memory/4556-1827-0x0000014C96C10000-0x0000014C96C33000-memory.dmp

Filesize
140KB

Download
memory/4556-1828-0x00007FFD0F850000-0x00007FFD0F9B2000-memory.dmp

Filesize
1.4MB

Download