Overview

overview

10

Static

static

1

18262829011200.js

windows7-x64

10

18262829011200.js

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2024, 16:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    18262829011200.js

  • Size

    345KB

  • MD5

    301503edfb1ea723b231b416c2a81f0f

  • SHA1

    dd41fda85637d2593ef4aad407371ec830fe171d

  • SHA256

    544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45

  • SHA512

    f5df4b28a0f012b458026ef7caa2f460f51476a67e63e63641631dc5672b4920422618afb36af17373ffdfcc678370dc965678f3d3f1dda5326589c2a471f9d5

  • SSDEEP

    6144:FSxcuKYMvWe+ch9Bi7PoOCSElpHMnOInDOWPZsngSKTj+c42pf:+cRYMv5+ctgEBmODYsw+h2pf

Score
10/10
streladefense_evasionexecutionstealer

Malware Config

Extracted

Family

strela

C2

193.109.85.231

Attributes
  • url_path

    /server.php

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537

Signatures

  • Detects Strela Stealer payload 3 IoCs
  • Strela family
    strela
  • Strela stealer

    An info stealer targeting mail credentials first seen in late 2022.

    stealerstrela
  • Loads dropped DLL 4 IoCs
  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Payload decoded via CertUtil.

    defense_evasion
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\18262829011200.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\18262829011200.js" "C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat" && "C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\system32\findstr.exe
        findstr /V marrywise ""C:\Users\Admin\AppData\Local\Temp\\trousersperpetual.bat""
        3⤵
          PID:1856
        • C:\Windows\system32\certutil.exe
          certutil -f -decode magnificentdevelopment returnready.dll
          3⤵
          • Deobfuscate/Decode Files or Information
          PID:2784
        • C:\Windows\system32\cmd.exe
          cmd /c rundll32 returnready.dll,m
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Windows\system32\rundll32.exe
            rundll32 returnready.dll,m
            4⤵
            • Loads dropped DLL
            PID:2468

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\magnificentdevelopment
            Filesize

            338KB

            MD5

            04d8d28e9039e6861017650bb59f24b3

            SHA1

            53741049bc23ab05658dc32ad54326a87dd0edee

            SHA256

            54d3f28c9044ca9b16d3584d7bfac00c65f8aa6369801b340e1a7348d4681bef

            SHA512

            05c9830335b82a5dd020e097e8fb3241e52d60875d951b13dfe82ad590c922ed6884ae5f9a1d2a6270c0d3456bc88ed8d373c5fdedca8a604f65ce986f00cf32

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\returnready.dll
            Filesize

            252KB

            MD5

            9499f14143b34ea7703c73b5f9b37013

            SHA1

            ceff6b19826c9a4e9b9e8cbcc512d5241a27825e

            SHA256

            e6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1

            SHA512

            f14dec41f677fb3e2af064b4b7a6b3b15bec8429a831a78247513853d4ce7511ed37e89e52ebadbed03ab9115dcea3cc316b90e99c939d07402b5a554d722668

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\trousersperpetual.bat
            Filesize

            345KB

            MD5

            301503edfb1ea723b231b416c2a81f0f

            SHA1

            dd41fda85637d2593ef4aad407371ec830fe171d

            SHA256

            544887bc3f0dccb610dd7ba35b498a03ea32fca047e133a0639d5bca61cc6f45

            SHA512

            f5df4b28a0f012b458026ef7caa2f460f51476a67e63e63641631dc5672b4920422618afb36af17373ffdfcc678370dc965678f3d3f1dda5326589c2a471f9d5

            Download Submit

          • memory/2468-393-0x0000000000470000-0x0000000000493000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2468-395-0x0000000000470000-0x0000000000493000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2468-394-0x000007FEFAA00000-0x000007FEFAA47000-memory.dmp

            Filesize

            284KB

            Download