strela | 8ca6dc7fcf25e0e7d4a521d35ec27d08fd5b2832f06f2aa32b52b36b69f47c8c

Resubmissions

19-02-2024 19:16

240219-xzannsbc6y 10

19-02-2024 19:12

240219-xwla1abb8z 1

06-02-2024 16:53

240206-veee1sbeb4 10

Analysis

max time kernel
92s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1727822909290912689.js
Size

647KB
MD5

9d68a860c54584dd2d52f465160ee6ad
SHA1

42270d711512467421fd9f15530a70476f383172
SHA256

cf66b2a95512490b690794f70d6c847aa8047bee3975c1eb46a7a892f74b9cff
SHA512

352838f21a3664f308327c3e9e7f318d3af3480f0fcf952c2ae9cbd647826baf29274db0545822ff13365271ae2638f3a7b662caf40744b14cf6502abbad0539
SSDEEP

6144:GYkeuxJrlxHlmMkIKjT5/gId68KpldKlZk7bm0KGm63EYnkkenxf2SeefVZwzqzs:GY7orJGIS/gIl3NGN0YnkR+tfVWE

Score

10^/10

strela stealer

Malware Config

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4148 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4148	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

wscript.execmd.execmd.exe

description	pid	process	target process
PID 4208 wrote to memory of 1620	4208	wscript.exe	cmd.exe
PID 4208 wrote to memory of 1620	4208	wscript.exe	cmd.exe
PID 1620 wrote to memory of 1916	1620	cmd.exe	findstr.exe
PID 1620 wrote to memory of 1916	1620	cmd.exe	findstr.exe
PID 1620 wrote to memory of 2656	1620	cmd.exe	certutil.exe
PID 1620 wrote to memory of 2656	1620	cmd.exe	certutil.exe
PID 1620 wrote to memory of 1708	1620	cmd.exe	cmd.exe
PID 1620 wrote to memory of 1708	1620	cmd.exe	cmd.exe
PID 1708 wrote to memory of 4148	1708	cmd.exe	rundll32.exe
PID 1708 wrote to memory of 4148	1708	cmd.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js" "C:\Users\Admin\\yelltame.bat" && "C:\Users\Admin\\yelltame.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\findstr.exe
findstr /V complexsugar ""C:\Users\Admin\\yelltame.bat""
3⤵
PID:1916

C:\Windows\system32\certutil.exe
certutil -f -decode cherryargument high-pitchedhandsomely.dll
3⤵
PID:2656

C:\Windows\system32\cmd.exe
cmd /C rundll32 high-pitchedhandsomely.dll,main
3⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\rundll32.exe
rundll32 high-pitchedhandsomely.dll,main
4⤵
- Loads dropped DLL
PID:4148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\cherryargument
Filesize
306KB

MD5
e0ab76e2f14e9a8d3314f0d88924c318

SHA1
debed77dc28f418fa1d4d3c76d11f543cd75ce73

SHA256
ea11fda572f1131a0e002d3475324411aee6c8760ac69e7118f13170521913ca

SHA512
e978e6f237aff763f8a87f6fc81c6f82bd98afdf210c3f4d2fa88df06ac0d2d421cbbc845d40ff2441a725d0392ecc8e0d0daeac48d49cad6d3cf5a1c08d91ac

Download Submit
C:\Users\Admin\high-pitchedhandsomely.dll
Filesize
229KB

MD5
7510774ef92e9c6a391b92a0bd3f408b

SHA1
741652f31e83c6ed6908ed4e0cfc46f79451d985

SHA256
4254817a71122bb75a09cfa918c3a5c8fac4b44c2073cb5f62f25931531c739c

SHA512
a5a6a058975bdef39be187104895be1656ee8547abd9cdbe0713cf4f7a7f92e5f5c901edf7ba4dd18bd6a9e65631e64f73a681ab3563f8eed00381c257b32264

Download Submit
C:\Users\Admin\yelltame.bat
Filesize
647KB

MD5
9d68a860c54584dd2d52f465160ee6ad

SHA1
42270d711512467421fd9f15530a70476f383172

SHA256
cf66b2a95512490b690794f70d6c847aa8047bee3975c1eb46a7a892f74b9cff

SHA512
352838f21a3664f308327c3e9e7f318d3af3480f0fcf952c2ae9cbd647826baf29274db0545822ff13365271ae2638f3a7b662caf40744b14cf6502abbad0539

Download Submit
memory/4148-198-0x00007FFF627B0000-0x00007FFF627F1000-memory.dmp

Filesize
260KB

Download
memory/4148-199-0x0000018CE0550000-0x0000018CE0573000-memory.dmp

Filesize
140KB

Download