strela | 9bfcd902f51c2898e4e71d87f8a8f00ccb26cc3cb11191767ce21a0e51d1a468

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18491242336191.js
Size

353KB
MD5

00a488ef84d5c94fcc82506405c1fb20
SHA1

660c34be4fc2cfad57705d5a607bedfdf5597e7d
SHA256

9b24c97d6400214ccfdf2ef5bdc89de58bbe54745b7caa03d0ca0f7861c985e1
SHA512

8f9370c6f35c7baaca1e8390843cceaf9a775f799cd44736072b78532a11df239cc64cde336bb033399d37e2f8e4d7aa7f82e21226b2f6b33fb2246db48e6484
SSDEEP

6144:GNP/Va6wVPV7GUIxX1uUcaDG1xo2p/Ws8LPF5Nevr:GNnVaTVPV7GUa1/cQG1x5p/zeevr

Score

10^/10

strela stealer

Malware Config

Signatures

Strela
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2732 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2732	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

wscript.execmd.execmd.exe

description	pid	process	target process
PID 4900 wrote to memory of 2940	4900	wscript.exe	cmd.exe
PID 4900 wrote to memory of 2940	4900	wscript.exe	cmd.exe
PID 2940 wrote to memory of 3012	2940	cmd.exe	findstr.exe
PID 2940 wrote to memory of 3012	2940	cmd.exe	findstr.exe
PID 2940 wrote to memory of 824	2940	cmd.exe	certutil.exe
PID 2940 wrote to memory of 824	2940	cmd.exe	certutil.exe
PID 2940 wrote to memory of 1036	2940	cmd.exe	cmd.exe
PID 2940 wrote to memory of 1036	2940	cmd.exe	cmd.exe
PID 1036 wrote to memory of 2732	1036	cmd.exe	rundll32.exe
PID 1036 wrote to memory of 2732	1036	cmd.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\18491242336191.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\18491242336191.js" "C:\Users\Admin\AppData\Local\Temp\\belllegal.bat" && "C:\Users\Admin\AppData\Local\Temp\\belllegal.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\system32\findstr.exe
findstr /V carriagerun ""C:\Users\Admin\AppData\Local\Temp\\belllegal.bat""
3⤵
PID:3012

C:\Windows\system32\certutil.exe
certutil -f -decode timepolish jealousland.dll
3⤵
PID:824

C:\Windows\system32\cmd.exe
cmd /c rundll32 jealousland.dll,m
3⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\system32\rundll32.exe
rundll32 jealousland.dll,m
4⤵
- Loads dropped DLL
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\belllegal.bat
Filesize
353KB

MD5
00a488ef84d5c94fcc82506405c1fb20

SHA1
660c34be4fc2cfad57705d5a607bedfdf5597e7d

SHA256
9b24c97d6400214ccfdf2ef5bdc89de58bbe54745b7caa03d0ca0f7861c985e1

SHA512
8f9370c6f35c7baaca1e8390843cceaf9a775f799cd44736072b78532a11df239cc64cde336bb033399d37e2f8e4d7aa7f82e21226b2f6b33fb2246db48e6484

Download Submit
C:\Users\Admin\AppData\Local\Temp\jealousland.dll
Filesize
258KB

MD5
363e3e964b6d304e8110b1a2eb61fdc5

SHA1
b449942d73eceafc430a95e8095759a74db6837c

SHA256
2bf87306136fb02e8ed7770bcee23d77dad2ab45fbe70d24f226afc1e236e01f

SHA512
4fed29c1e7bc7f604515b6439e77475ea4f85771ba0d28397f40a3a9866aa881b0c6b9bc524115fa6f213ddd650ff886b43fa620aa4f1269314d6dd20670b505

Download Submit
C:\Users\Admin\AppData\Local\Temp\timepolish
Filesize
346KB

MD5
5b1835d9b309c246b6e269a3143653c3

SHA1
0a872a6f63eb8e100979821bade186f5d73d6dbe

SHA256
f0b862a5c62cc552e14a345efbf0816e37078f312bd46c3663a4be9fd911a893

SHA512
78228fc71a8152f1c3ee157db379033211eb63857a0520755505f2b1f0f5c0ab952ff536d96b85b1ef2f6c7ecc56d742f19888c2039212fb947890a1bbdc8360

Download Submit
memory/2732-458-0x00000213FF6B0000-0x00000213FF6D3000-memory.dmp

Filesize
140KB

Download
memory/2732-459-0x00007FFFD7810000-0x00007FFFD7858000-memory.dmp

Filesize
288KB

Download