strela | bf08cb8946d1e68791c527fbbe5986fee7d94282857b635ae49c470af3c5eca7

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 12:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf08cb8946d1e68791c527fbbe5986fee7d94282857b635ae49c470af3c5eca7.dll
Size

128KB
MD5

5d93e05d4d8f3b3f5107b42c1025e3ac
SHA1

c743ca42e1b2ae07973c548212b6dbfd99aafdb2
SHA256

bf08cb8946d1e68791c527fbbe5986fee7d94282857b635ae49c470af3c5eca7
SHA512

93c83795cd8aecf8252a7dd50aa119fb6b5dea4d942ddfe727c023430d9f2036c74ea35ca3e77b89ba32e1e232d22295a7c07c19bfc45329fc6ae6c2b177ca3b
SSDEEP

1536:pqjIyXCf7tYe8r/4prk59JG4+3uE/jCQR/frtGX0sN2on3a3tO0yU95a:wcOChYP/4lk595+ttGX0s0o0Ei

Score

10^/10

strela stealer

Malware Config

Extracted

Family

strela

45.9.74.32

Attributes

url_path
/out.php
user_agent
Mozilla/4.0 (compatible)

Signatures

Detects Strela Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/5008-0-0x000001D727B00000-0x000001D727B22000-memory.dmp	family_strela
behavioral1/memory/5008-1-0x000001D727B00000-0x000001D727B22000-memory.dmp	family_strela

Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf08cb8946d1e68791c527fbbe5986fee7d94282857b635ae49c470af3c5eca7.dll,#1
1⤵
PID:5008

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=28d5aec36eb94aa8ba872ec2b3dbf17f&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=28d5aec36eb94aa8ba872ec2b3dbf17f&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2F2A96DA84896C34350F826785AE6D9B; domain=.bing.com; expires=Sat, 09-Aug-2025 12:35:26 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C02C0299E8A24BD49D7BBCC803193457 Ref B: LON04EDGE0711 Ref C: 2024-07-15T12:35:26Z
date: Mon, 15 Jul 2024 12:35:26 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=28d5aec36eb94aa8ba872ec2b3dbf17f&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=28d5aec36eb94aa8ba872ec2b3dbf17f&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2F2A96DA84896C34350F826785AE6D9B

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=q53ZuaPkpPGO7RmmuRe4MSsMpi22IGfEZH6Bxg1gfac; domain=.bing.com; expires=Sat, 09-Aug-2025 12:35:26 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2B5245DE60E240C0BCEBE3977064F021 Ref B: LON04EDGE0711 Ref C: 2024-07-15T12:35:26Z
date: Mon, 15 Jul 2024 12:35:26 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=28d5aec36eb94aa8ba872ec2b3dbf17f&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=28d5aec36eb94aa8ba872ec2b3dbf17f&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2F2A96DA84896C34350F826785AE6D9B; MSPTC=q53ZuaPkpPGO7RmmuRe4MSsMpi22IGfEZH6Bxg1gfac

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A444AA250F034BD7B1998A7AC86D0A29 Ref B: LON04EDGE0711 Ref C: 2024-07-15T12:35:26Z
date: Mon, 15 Jul 2024 12:35:26 GMT
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

85.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.177.190.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

147.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.142.123.92.in-addr.arpa

IN PTR

Response

147.142.123.92.in-addr.arpa

IN PTR

a92-123-142-147deploystaticakamaitechnologiescom

13.107.21.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=28d5aec36eb94aa8ba872ec2b3dbf17f&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

tls, http2

2.0kB
9.3kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=28d5aec36eb94aa8ba872ec2b3dbf17f&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=28d5aec36eb94aa8ba872ec2b3dbf17f&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=28d5aec36eb94aa8ba872ec2b3dbf17f&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

HTTP Response

204

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

85.177.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

85.177.190.20.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

147.142.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

147.142.123.92.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5008-0-0x000001D727B00000-0x000001D727B22000-memory.dmp

Filesize
136KB

Download
memory/5008-1-0x000001D727B00000-0x000001D727B22000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.