strela | b58ea9bb8dd69dd81aab6c75466487b9f0e23c5f5c473d22bc7bffa5ef9cfbed

Analysis

max time kernel
140s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WoWBox.exe
Size

2.1MB
MD5

4005f6935569c34b39e4faeeccdde17a
SHA1

d7056c7627043f41f401b893f790cdba0c1a99d5
SHA256

4a54a37b88700b28dc2fad3d772df86c5aacdf9a607dda4429a3a90317ddf946
SHA512

fbd1dbd4a9c2669897cf811a3fe69b32496d667c09f821a3a9ac76bd3f00d0a13675a73c650e6ba03adc7da8b98c80db29b118f388c8d100c79f1e402487d1a7
SSDEEP

49152:zinbTv9g5WNfV9XrnOVsAxq20YaErpVS55Id60bO70y37ebp5ZaKb:zibDT9qVseq20YaEVV7csOj37ebUKb

Score

10^/10

strela discovery stealer upx

Malware Config

Signatures

Detects Strela Stealer payload 1 IoCs

resource	yara_rule
behavioral23/memory/2068-6-0x0000000000400000-0x000000000081C000-memory.dmp	family_strela

Strela family
strela
Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 1 IoCs

pid	Process
2068	WoWBox.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral23/memory/2068-1-0x0000000000400000-0x000000000081C000-memory.dmp	upx
behavioral23/memory/2068-6-0x0000000000400000-0x000000000081C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WoWBox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	WoWBox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2068	WoWBox.exe
2068	WoWBox.exe

C:\Users\Admin\AppData\Local\Temp\WoWBox.exe
"C:\Users\Admin\AppData\Local\Temp\WoWBox.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\pipfactory.mod

Filesize
65KB

MD5
d04438de49859c75d1ab799eab828c35

SHA1
8c778878a7b3686d7535d2d7acc65910c93ef3f7

SHA256
09e5f0f9c441129dccbe32cedc46c1f6336a8ff7a5b76fc1ac357ff86374b5db

SHA512
c0a39dc638370dae246e5939f7f1b5c9316083c18b0e6a4b70035c6d690107da26867147f78344a469c14431df48149f97d61d4693ce8b557469631b22b25c49

Download Submit
memory/2068-1-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2068-5-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2068-6-0x0000000000400000-0x000000000081C000-memory.dmp

Filesize
4.1MB

Download
memory/2068-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download