strela | 3189efaf2330177d2817cfb69a8bfa3b846c24ec534aa3e6b66c8a28f3b18d4b

General

Target

18262829011200.js
Size

345KB
MD5

301503edfb1ea723b231b416c2a81f0f
SHA1

dd41fda85637d2593ef4aad407371ec830fe171d
SHA256

544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45
SHA512

f5df4b28a0f012b458026ef7caa2f460f51476a67e63e63641631dc5672b4920422618afb36af17373ffdfcc678370dc965678f3d3f1dda5326589c2a471f9d5
SSDEEP

6144:FSxcuKYMvWe+ch9Bi7PoOCSElpHMnOInDOWPZsngSKTj+c42pf:+cRYMv5+ctgEBmODYsw+h2pf

Score

10^/10

strela defense_evasion execution stealer

Malware Config

Extracted

Family

strela

C2

193.109.85.231

Attributes

url_path
/server.php
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537

Signatures

Detects Strela Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2468-393-0x0000000000470000-0x0000000000493000-memory.dmp	family_strela
behavioral1/memory/2468-395-0x0000000000470000-0x0000000000493000-memory.dmp	family_strela
behavioral1/memory/2468-394-0x000007FEFAA00000-0x000007FEFAA47000-memory.dmp	family_strela

Strela family
strela
Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

2468 rundll32.exe
2468 rundll32.exe
2468 rundll32.exe
2468 rundll32.exe
Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs
Payload decoded via CertUtil.
defense_evasion

Deobfuscate/Decode Files or Information
T1140

Processes:

certutil.exe

pid process

2784 certutil.exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2468	rundll32.exe
2468	rundll32.exe
2468	rundll32.exe
2468	rundll32.exe

pid	process
2784	certutil.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

wscript.execmd.execmd.exe

description	pid	process	target process
PID 1804 wrote to memory of 2368	1804	wscript.exe	cmd.exe
PID 1804 wrote to memory of 2368	1804	wscript.exe	cmd.exe
PID 1804 wrote to memory of 2368	1804	wscript.exe	cmd.exe
PID 2368 wrote to memory of 1856	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 1856	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 1856	2368	cmd.exe	findstr.exe
PID 2368 wrote to memory of 2784	2368	cmd.exe	certutil.exe
PID 2368 wrote to memory of 2784	2368	cmd.exe	certutil.exe
PID 2368 wrote to memory of 2784	2368	cmd.exe	certutil.exe
PID 2368 wrote to memory of 2216	2368	cmd.exe	cmd.exe
PID 2368 wrote to memory of 2216	2368	cmd.exe	cmd.exe
PID 2368 wrote to memory of 2216	2368	cmd.exe	cmd.exe
PID 2216 wrote to memory of 2468	2216	cmd.exe	rundll32.exe
PID 2216 wrote to memory of 2468	2216	cmd.exe	rundll32.exe
PID 2216 wrote to memory of 2468	2216	cmd.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\18262829011200.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\18262829011200.js" "C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat" && "C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\system32\findstr.exe
    findstr /V marrywise ""C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat""
    3⤵
    PID:1856
- - C:\Windows\system32\certutil.exe
    certutil -f -decode magnificentdevelopment returnready.dll
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:2784
- - C:\Windows\system32\cmd.exe
    cmd /c rundll32 returnready.dll,m
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\system32\rundll32.exe
      rundll32 returnready.dll,m
      4⤵
      Loads dropped DLL
      PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

1

T1140

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\magnificentdevelopment

Filesize
338KB

MD5
04d8d28e9039e6861017650bb59f24b3

SHA1
53741049bc23ab05658dc32ad54326a87dd0edee

SHA256
54d3f28c9044ca9b16d3584d7bfac00c65f8aa6369801b340e1a7348d4681bef

SHA512
05c9830335b82a5dd020e097e8fb3241e52d60875d951b13dfe82ad590c922ed6884ae5f9a1d2a6270c0d3456bc88ed8d373c5fdedca8a604f65ce986f00cf32

Download Submit
C:\Users\Admin\AppData\Local\Temp\returnready.dll

Filesize
252KB

MD5
9499f14143b34ea7703c73b5f9b37013

SHA1
ceff6b19826c9a4e9b9e8cbcc512d5241a27825e

SHA256
e6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1

SHA512
f14dec41f677fb3e2af064b4b7a6b3b15bec8429a831a78247513853d4ce7511ed37e89e52ebadbed03ab9115dcea3cc316b90e99c939d07402b5a554d722668

Download Submit
C:\Users\Admin\AppData\Local\Temp\trousersperpetual.bat

Filesize
345KB

MD5
301503edfb1ea723b231b416c2a81f0f

SHA1
dd41fda85637d2593ef4aad407371ec830fe171d

SHA256
544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45

SHA512
f5df4b28a0f012b458026ef7caa2f460f51476a67e63e63641631dc5672b4920422618afb36af17373ffdfcc678370dc965678f3d3f1dda5326589c2a471f9d5

Download Submit
memory/2468-393-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2468-395-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2468-394-0x000007FEFAA00000-0x000007FEFAA47000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing