Malware Analysis Report

2025-01-18 09:29

Sample ID 240219-vhdmwshd35
Target XDR_ResponseApp_CollectFile_RM-20240219-00004_91d04b38-9cf1-40cb-bcaa-7774254ddf2d_20240219T145443Z.7z
SHA256 b7b12febaaca57c9e2eb77a602091823673e44cdc104ec31f053fd80f1c4c9bf
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7b12febaaca57c9e2eb77a602091823673e44cdc104ec31f053fd80f1c4c9bf

Threat Level: Known bad

The file XDR_ResponseApp_CollectFile_RM-20240219-00004_91d04b38-9cf1-40cb-bcaa-7774254ddf2d_20240219T145443Z.7z was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-19 16:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-19 16:59

Reported

2024-02-19 17:02

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

199s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\12843_12787719123142.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\12843_12787719123142.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\12843_12787719123142.js" "C:\Users\Admin\\hardgorgeous.bat" && "C:\Users\Admin\\hardgorgeous.bat"

C:\Windows\system32\findstr.exe

findstr /V ultrasilver ""C:\Users\Admin\\hardgorgeous.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode tacitcarriage clubadventurous.dll

C:\Windows\system32\rundll32.exe

rundll32 clubadventurous.dll,main

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\wscript.exe

wscript.exe

C:\Windows\System32\wscript.exe

C:\Windows\System32\wscript.exe "C:\Users\Admin\AppData\Local\Temp\12843_12787719123142.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 248.81.204.23.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\hardgorgeous.bat

MD5 f8486079374c877838105e2abee989ea
SHA1 42492020df4f434b815ba4a4805f29a986f6b797
SHA256 0747d133621a738dfb820f8d895903b29261da67e664380d2a914441463d27ed
SHA512 7d42acf7a0c0632d4f2917c654878b2bea7b49e49a49d928cad1548e4e92b2b8ae89d0f9b0da50184ae6d4c123625436fb0ae676bdb36849c7800e39fe54e7cf

C:\Users\Admin\tacitcarriage

MD5 9f2d966e15473fbdd5777a10e0feb621
SHA1 239e9d101b5daa4ff42fbc3c254d17011b3ca076
SHA256 558e81e42c38f21889374c64c8b5bd2ccdd6c541f801deb14b7cb883442599cb
SHA512 717067edee06b410aef765c564e59f9a450296544918a05263f8f4e5c59979208b8871ef82343a416d68470e10de03d93cb69c61a287a2bf6d2a769127dfed72

C:\Users\Admin\clubadventurous.dll

MD5 dbadec458fa715463aa3a94e48e44d96
SHA1 20ec3cbf9c6be6dea074fc92f396a6eb4f811963
SHA256 fdebb69b03f80d35557f73187616e510c62710ff2e95c4d6281eb0fc71f63d14
SHA512 c97448e76bf4a03ef2b64c11f2fed33159b3f8874c9306fad804d260c3655b27a49735247a2a134a6ed9fd44628484549514ddeb9e0ef9897cc99d327468a6ed

memory/804-1554-0x000001DA7EA90000-0x000001DA7EAB3000-memory.dmp

memory/804-1553-0x00007FFDC7AB0000-0x00007FFDC7BE0000-memory.dmp