strela | 81e45c1e6d6a718624159e116e6daa8c1547f39bef7f56163303e7eca8abfae1

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

3.9MB
MD5

81e69b29c4c09391a12b665e7661f48e
SHA1

b103b694d12544c9db444badd9e2263d219698b1
SHA256

81e45c1e6d6a718624159e116e6daa8c1547f39bef7f56163303e7eca8abfae1
SHA512

5476b9fa6967aefcb73793c965224c93d2ab46268830fcb71c69bc864e22e0cb92512959fe7a728ee77c2bde00e3ce9eda64d015ff1ef34273292707680c0042
SSDEEP

98304:QhVVJqioKMFh1qKsbZcMgsGwNmlCNE4CJgcMyfQP/4:QhV1pMzHQCMFGImHgcM54

Score

10^/10

strela discovery stealer

Malware Config

Signatures

Detects Strela Stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c75-33.dat	family_strela
behavioral2/memory/428-34-0x0000000004790000-0x0000000004D5D000-memory.dmp	family_strela

Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 14 IoCs

pid	Process
428	setup.exe
428	setup.exe
428	setup.exe
428	setup.exe
428	setup.exe
428	setup.exe
428	setup.exe
428	setup.exe
428	setup.exe
428	setup.exe
428	setup.exe
428	setup.exe
428	setup.exe
428	setup.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcr71.dll	setup.exe
File created	C:\Windows\SysWOW64\mfc71.dll	setup.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\7.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\9.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\uninstall.exe	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\3.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\Fonts.dat	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\SausageBottomAlpha.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\4.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\5.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\6.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\Background.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\RedLight.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\12.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\13.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\16.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\Sausage Fattener 32.dat	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\8.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\GreenLight.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\OverlayKnob.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\SausageBottom.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\Wheel2.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\1.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\14.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\15.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\11.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\SmallKnob.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\Sausage Fattener 64.dat	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\10.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\2.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\AboutBox.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\BigKnob.bmp	setup.exe
File created	C:\Program Files (x86)\Steinberg\Vstplugins\Dada Life\Sausage Fattener\Resource\OrangeLight.bmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
428	setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	548	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
428	setup.exe
428	setup.exe
428	setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x4b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\AdvSplash.dll

Filesize
6KB

MD5
13cc92f90a299f5b2b2f795d0d2e47dc

SHA1
aa69ead8520876d232c6ed96021a4825e79f542f

SHA256
eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb

SHA512
ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\Bass.dll

Filesize
101KB

MD5
a8af308ff01b4477657955fbf0cc8408

SHA1
0794c059f0326e4a71be8a3ee4ac17a657d90d88

SHA256
14a38f56be50a3829eb1eda2a908da2de5913f81d5cb01d8b668593d0fc36594

SHA512
9e221967db95d4b86bf311891193dfd1515806aa0d43198d3bc26a17d77f06f212ab9dba1ca8575f50d224380e8b109529faccf2f56daac834da83a83677a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\GetVersion.dll

Filesize
8KB

MD5
e013b625f5ae1e2f0b442cf39c0069df

SHA1
9ec785b63279144c091366badda65278c4cdee20

SHA256
16dd6da98b7e53d374830cd4c644c01b112955f8487a285f34dc0353e9cfac15

SHA512
306f7e674d119d129db48012c43f825bffabd078fac8518aea9d514b0787752a2e876bda2ad15df7332bfc8cfba38a0d1be17ee7c58a27e09678fce9aec58418

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\NSIS_SkinCrafter_Plugin.dll

Filesize
5.8MB

MD5
028251654a4d65509aa8ccb5f2ee284a

SHA1
4a4ad468a86df6b903002be4f8919017fea0c152

SHA256
8b25cf3f7aa82fadccb2ce615ce0e40c5a8a3ea7bc51180a92173ee113a0ccfe

SHA512
f252670bca0da9e8e2c519a6ef4ad6dd0c4e548aeb7566693a7d203e73e63345fc58683072020ef771d836429bed1d7b4fdf105aa3e62a969e9c8d39556e1d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\SkinCrafter.dll

Filesize
792KB

MD5
8fea8fd177034b52e6a5886fb5e780bd

SHA1
99f511388a2420d53b8406baed48ba550842eaad

SHA256
546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de

SHA512
5d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\ioSpecial.ini

Filesize
572B

MD5
a552493532d14e11db843daac7aad4f9

SHA1
d2c54d9c5328f586bd4f4b30f16b3e3b48527dc3

SHA256
3c9fd4001122cc52b7a245c1a55539428b4d5fa4ec68f6b428afad6f8b5e724c

SHA512
b1cd088286367643cc30701361dab095b0870a20095c19b726e8fbc07688eae5b38b9a36a74ddc24743bc0f9a215057c7a14f00b5498a77c5b65c5e707abc962

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\ioSpecial.ini

Filesize
710B

MD5
ee80c912ad8d0fb37e41bddf35f76e61

SHA1
6ec0200ae884891e057ce8688949669ecbdfcdb5

SHA256
e6ebcce9a36b8bc07e22584e8cf773266ab6af99418ca86fa1c4228763a23f70

SHA512
aaa3d4d9f16031f6f2d93510ce7265db4f34ed99c3168a6206ef68997ab50dac9bdf44fc661adb35cc8cc1bbebdd5270bbd62cefa7361de233982e7cf488d1b4

Download Submit
C:\Windows\SysWOW64\mfc71.dll

Filesize
1.0MB

MD5
1fd3f9722119bdf7b8cff0ecd1e84ea6

SHA1
9a4faa258b375e173feaca91a8bd920baf1091eb

SHA256
385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823

SHA512
109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6

Download Submit
C:\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
memory/428-15-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-240-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-34-0x0000000004790000-0x0000000004D5D000-memory.dmp

Filesize
5.8MB

Download
memory/428-16-0x000000000304C000-0x000000000304D000-memory.dmp

Filesize
4KB

Download
memory/428-135-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-145-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-26-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-27-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-239-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-44-0x0000000004D60000-0x0000000004E2C000-memory.dmp

Filesize
816KB

Download
memory/428-241-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-242-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-243-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-244-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-245-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-246-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-247-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-248-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/428-249-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download