Malware Analysis Report

2025-01-18 09:30

Sample ID 240219-xzannsbc6y
Target quisisana-ag.zip
SHA256 8ca6dc7fcf25e0e7d4a521d35ec27d08fd5b2832f06f2aa32b52b36b69f47c8c
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ca6dc7fcf25e0e7d4a521d35ec27d08fd5b2832f06f2aa32b52b36b69f47c8c

Threat Level: Known bad

The file quisisana-ag.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-19 19:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-19 19:16

Reported

2024-02-19 19:21

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

134s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4208 wrote to memory of 1620 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4208 wrote to memory of 1620 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1620 wrote to memory of 1916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1620 wrote to memory of 1916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1620 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1620 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1620 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 1708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1708 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1708 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\1727822909290912689.js" "C:\Users\Admin\\yelltame.bat" && "C:\Users\Admin\\yelltame.bat"

C:\Windows\system32\findstr.exe

findstr /V complexsugar ""C:\Users\Admin\\yelltame.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode cherryargument high-pitchedhandsomely.dll

C:\Windows\system32\cmd.exe

cmd /C rundll32 high-pitchedhandsomely.dll,main

C:\Windows\system32\rundll32.exe

rundll32 high-pitchedhandsomely.dll,main

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp

Files

C:\Users\Admin\yelltame.bat

MD5 9d68a860c54584dd2d52f465160ee6ad
SHA1 42270d711512467421fd9f15530a70476f383172
SHA256 cf66b2a95512490b690794f70d6c847aa8047bee3975c1eb46a7a892f74b9cff
SHA512 352838f21a3664f308327c3e9e7f318d3af3480f0fcf952c2ae9cbd647826baf29274db0545822ff13365271ae2638f3a7b662caf40744b14cf6502abbad0539

C:\Users\Admin\cherryargument

MD5 e0ab76e2f14e9a8d3314f0d88924c318
SHA1 debed77dc28f418fa1d4d3c76d11f543cd75ce73
SHA256 ea11fda572f1131a0e002d3475324411aee6c8760ac69e7118f13170521913ca
SHA512 e978e6f237aff763f8a87f6fc81c6f82bd98afdf210c3f4d2fa88df06ac0d2d421cbbc845d40ff2441a725d0392ecc8e0d0daeac48d49cad6d3cf5a1c08d91ac

C:\Users\Admin\high-pitchedhandsomely.dll

MD5 7510774ef92e9c6a391b92a0bd3f408b
SHA1 741652f31e83c6ed6908ed4e0cfc46f79451d985
SHA256 4254817a71122bb75a09cfa918c3a5c8fac4b44c2073cb5f62f25931531c739c
SHA512 a5a6a058975bdef39be187104895be1656ee8547abd9cdbe0713cf4f7a7f92e5f5c901edf7ba4dd18bd6a9e65631e64f73a681ab3563f8eed00381c257b32264

memory/4148-198-0x00007FFF627B0000-0x00007FFF627F1000-memory.dmp

memory/4148-199-0x0000018CE0550000-0x0000018CE0573000-memory.dmp