Malware Analysis Report

2025-01-18 09:29

Sample ID 240325-sd558sbc73
Target iberimex.zip
SHA256 0dc793ea91ef452d4876409d24bb4b162528c2297052482b489f98a017834537
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dc793ea91ef452d4876409d24bb4b162528c2297052482b489f98a017834537

Threat Level: Known bad

The file iberimex.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 15:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 15:01

Reported

2024-03-25 15:04

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js

Signatures

Strela

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2492 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 2492 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 2492 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2492 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2492 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2492 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2492 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2492 wrote to memory of 896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 896 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 896 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 896 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\287212633216314.js" "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat" && "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat"

C:\Windows\system32\findstr.exe

findstr /V outrageousdepressed ""C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode zephyrhome tickettoys.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 tickettoys.dll,m

C:\Windows\system32\rundll32.exe

rundll32 tickettoys.dll,m

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\obtainfaint.bat

MD5 cd856039e0eadf0f5dfdcd036cb3edc9
SHA1 b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd
SHA256 805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16
SHA512 a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc

C:\Users\Admin\AppData\Local\Temp\zephyrhome

MD5 ec27c9d32b638666b649301419776e16
SHA1 1480c2bbd1de5aeed98401dca0378917461b9cfb
SHA256 a3df024a2c70213924c7e13f2f891d5fbfe6d1d46057076cd53bef17cb78ad21
SHA512 b360f85b7b6e0795afe1f7ca69dd0a0172199ba80b332af00d5110be2bd584b3cb08df0dbba384b32f15ef98a67ed4f045dd3b372717ab142890a8c7ed893efa

C:\Users\Admin\AppData\Local\Temp\tickettoys.dll

MD5 4cc26a2da2049ff4509091cdbf004c5e
SHA1 0bba8d2338b7db224047760a27c57afa02748f05
SHA256 3ad13a452ab86fb5eccbf0bf71f33700369fdd5114c3a8d13c52e722a1586312
SHA512 cabc55978155dfddc6e6f2bbfe712b66998c3858dc52680c9e99f5a8040c001e52d76093e77636f6b03ba63f4798a04dc12c9f8438a5bfe97ccd90ccd2da02de

memory/692-715-0x000007FEF7770000-0x000007FEF77B8000-memory.dmp

memory/692-716-0x0000000000390000-0x00000000003B3000-memory.dmp

memory/692-717-0x0000000000390000-0x00000000003B3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 15:01

Reported

2024-03-25 15:04

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 100 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1688 wrote to memory of 100 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 100 wrote to memory of 1092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 100 wrote to memory of 1092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 100 wrote to memory of 588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 100 wrote to memory of 588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 100 wrote to memory of 4564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 100 wrote to memory of 4564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 3372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4564 wrote to memory of 3372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\287212633216314.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\287212633216314.js" "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat" && "C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat"

C:\Windows\system32\findstr.exe

findstr /V outrageousdepressed ""C:\Users\Admin\AppData\Local\Temp\\obtainfaint.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode zephyrhome tickettoys.dll

C:\Windows\system32\cmd.exe

cmd /c rundll32 tickettoys.dll,m

C:\Windows\system32\rundll32.exe

rundll32 tickettoys.dll,m

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 96.17.178.194:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\obtainfaint.bat

MD5 cd856039e0eadf0f5dfdcd036cb3edc9
SHA1 b0692de01ae5e2b4a0df6e41a5ba8e129fbd08bd
SHA256 805906250cc6d183deca8995103f8fc0848c5e25b4d67d72461af0e67ebb9c16
SHA512 a3c45d99c8b1ca02b475b6c2412e6db7e9eabc439228be8a822049708588971f349e504eeb15cac3b637832ee8ec7c6ae36cd84cfa185c82fcbf1b08a8256fcc

C:\Users\Admin\AppData\Local\Temp\zephyrhome

MD5 ec27c9d32b638666b649301419776e16
SHA1 1480c2bbd1de5aeed98401dca0378917461b9cfb
SHA256 a3df024a2c70213924c7e13f2f891d5fbfe6d1d46057076cd53bef17cb78ad21
SHA512 b360f85b7b6e0795afe1f7ca69dd0a0172199ba80b332af00d5110be2bd584b3cb08df0dbba384b32f15ef98a67ed4f045dd3b372717ab142890a8c7ed893efa

C:\Users\Admin\AppData\Local\Temp\tickettoys.dll

MD5 4cc26a2da2049ff4509091cdbf004c5e
SHA1 0bba8d2338b7db224047760a27c57afa02748f05
SHA256 3ad13a452ab86fb5eccbf0bf71f33700369fdd5114c3a8d13c52e722a1586312
SHA512 cabc55978155dfddc6e6f2bbfe712b66998c3858dc52680c9e99f5a8040c001e52d76093e77636f6b03ba63f4798a04dc12c9f8438a5bfe97ccd90ccd2da02de

memory/3372-712-0x00007FFAA48B0000-0x00007FFAA48F8000-memory.dmp

memory/3372-713-0x000001D773940000-0x000001D773963000-memory.dmp