Overview

overview

10

Static

static

1

slopewell-...ne.bat

windows11-21h2-x64

10

Resubmissions

21-01-2025 14:40

250121-r1411syqdr 10

09-11-2023 10:14

231109-l9qxvsgg6v 10

Analysis

  • max time kernel
    46s
  • max time network
    50s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-01-2025 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    slopewell-offculturedairplane.bat

  • Size

    403KB

  • MD5

    41447efea024e6158c5711c4982af676

  • SHA1

    b52c1b3849249cc0504b82833c8610b4167cd0b1

  • SHA256

    a2e6bd6582e3002fbd8230007f23047fcacd7ddc071a287e42f54cf4572db5fe

  • SHA512

    d5a29e3b264672b33049984030443f505b573137636420c9b29ddf258a118cb1089caa859ce8f89da2cc1d37607fc8454a19385b77926ea793a6c8c9f77ead1b

  • SSDEEP

    6144:SNGQJKf11ZZewEP7eXGON4FhDGTcJoBY1zWi9qgsgUpQ47GK+:SZKd7ZewaON4FhDGTcJk7i9xbUc

Score
10/10
streladefense_evasionstealer

Malware Config

Extracted

Family

strela

C2

193.109.85.77

Attributes
  • url_path

    /server.php

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537

Signatures

  • Detects Strela Stealer payload 3 IoCs
  • Strela family
    strela
  • Strela stealer

    An info stealer targeting mail credentials first seen in late 2022.

    stealerstrela
  • Loads dropped DLL 1 IoCs
  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Payload decoded via CertUtil.

    defense_evasion
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\slopewell-offculturedairplane.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\system32\findstr.exe
      findstr /V officebaiteggsexpect "C:\Users\Admin\AppData\Local\Temp\slopewell-offculturedairplane.bat"
      2⤵
        PID:5100
      • C:\Windows\system32\certutil.exe
        certutil -f -decode advicediscoverjeansupbeat energeticliverelyamused.dll
        2⤵
        • Deobfuscate/Decode Files or Information
        PID:3504
      • C:\Windows\system32\regsvr32.exe
        regsvr32 energeticliverelyamused.dll
        2⤵
        • Loads dropped DLL
        PID:484
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5060
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b35515a-ee94-4315-8f2b-26d2a86995e8} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" gpu
          3⤵
            PID:4036
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c73eba3-d680-405b-a160-8f09541251aa} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" socket
            3⤵
            • Checks processor information in registry
            PID:720
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 23790 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8c9eff4-5c42-47bc-a19e-695d32823e37} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" tab
            3⤵
              PID:384
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3544 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d55e744-9ac3-42b5-b248-bc8a0e59a610} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" tab
              3⤵
                PID:4604
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 4800 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50d3c695-970d-41e3-9e68-cf3f02529efa} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" utility
                3⤵
                • Checks processor information in registry
                PID:3160
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5492 -prefMapHandle 5460 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd045363-2c8b-422c-ab44-5d520b123782} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" tab
                3⤵
                  PID:1868
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 4 -isForBrowser -prefsHandle 5608 -prefMapHandle 5604 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc1eff2a-bf7e-46ed-bd4a-5df84cbabca1} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" tab
                  3⤵
                    PID:484
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d3ad041-7fdc-47f7-8700-72d8f6a4d49a} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" tab
                    3⤵
                      PID:1424
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -childID 6 -isForBrowser -prefsHandle 5668 -prefMapHandle 6120 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26e1a373-0fab-47a3-a99b-05d3fd49fc57} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" tab
                      3⤵
                        PID:1468

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\maevrvll.default-release\activity-stream.discovery_stream.json
                    Filesize

                    21KB

                    MD5

                    7eb5e146e7fdf9d7822351d6adfba9c6

                    SHA1

                    1028bab080112ff8b53679449d23c6f936704ab7

                    SHA256

                    b35f879402e448ec646e008b9b43ef43e36c51eeccf21a83efeb56c96efc01a5

                    SHA512

                    668a8e17d9bd6da2219c2b741e18871f5e763f8920e0d2a25994309028a3c556458d8e255dc7818f55484eb04bc9ef60491dba2706c7e9922c37640df3012730

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\maevrvll.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                    Filesize

                    15KB

                    MD5

                    96c542dec016d9ec1ecc4dddfcbaac66

                    SHA1

                    6199f7648bb744efa58acf7b96fee85d938389e4

                    SHA256

                    7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                    SHA512

                    cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\advicediscoverjeansupbeat
                    Filesize

                    303KB

                    MD5

                    3de4c4dddf82847e0418a9d1390a7d05

                    SHA1

                    6f00c75e9edc101872f3619f2906e2647335e1b2

                    SHA256

                    2d3612d43407870a6d59beebae4f726d9cbcef2127f600facda949251fcefcc7

                    SHA512

                    8ab0ccaf715b37c8c180a3bab37584513c37edf734ce58a3a901fc8c13f823be42d062f2d85a3aac3fe7f28f4ab0158c198e89946f7d0b59f40e44b3ebb4f4b5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\energeticliverelyamused.dll
                    Filesize

                    227KB

                    MD5

                    b87b94262e7ee819933cc0ed51cf665c

                    SHA1

                    0094d6ead5447d3e74f6c08a03d65b8ed47b2bde

                    SHA256

                    e534b69015fec9196a1cbd77664b40f8ac474385c06ed2385321417b7c1b26a4

                    SHA512

                    d05a9d48f612ef88f43f84da351dfce73f3c7c2c536b4e5512d4449288a478b5102e572266efdbf0c0f70e4bdbd1561b2c040e4a6306e27f9f7f01fa562ec1a9

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\AlternateServices.bin
                    Filesize

                    8KB

                    MD5

                    2816c363eb782d02b818b0e27a715bd8

                    SHA1

                    8f197f16f30fa79a1d7193011080377862d356a6

                    SHA256

                    746efe2f05d847e81bdde0d0b9e9c4980e45342c7749830a75fff85cb299c851

                    SHA512

                    7e97f72d285eb251450a8170655a3dbe0494850345f51a82953ef43c3b9822d5d46f36962b81d6c9c0c64387daa696bc0c461b561329080c989c77ddddb99468

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    d51b7eb3ecf371668d42da7312b71f0f

                    SHA1

                    657cee77487be2802e18fee77eb9baae2195ef22

                    SHA256

                    4e5859e78a5451719886d77d25e09ec3092bac71a4b9fd2c526b21279845a291

                    SHA512

                    ec0a0a1e936975d239e8f18b606749fd06a511d83e5162617e8a8063132967e5943abd28207c1796a4ae49b72190d6a4e0f19e3c8180c281644d35cf24261740

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    6ca2ab2af591084135b80f6695287c31

                    SHA1

                    62350404ffb8d9a3ced4867ca5ca1823a82a7228

                    SHA256

                    2a435f824b6ac1415da7fe377c7d7953535ec5968b0fcada7d316aaacfce8862

                    SHA512

                    7a9b07dea780be122bc3ed724be8b487fa5aa3cd0f6f2c328e70a3eb307218fe3f76f4d922c2a54ffa9a88db3e55ad51ff0b6c26f077d65e146af9239d28f36d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\758c5d70-fcd4-41ed-b90e-dbcb9100f88b
                    Filesize

                    982B

                    MD5

                    c16b7cb9ca1c3926a5a9c97ae156c9e3

                    SHA1

                    ad3daaf6c8d3203905ac54924406ddb1bdeb795b

                    SHA256

                    56175a66244a8890a60f2658a97235563e3d1384d3c3c959293f4ed5775145c0

                    SHA512

                    63ea2ad67a21482fafe9170b3e7c1986eb8ce5730d06051f70ec5be9ae4904e137b9266df0648a342a2f7dd4d583806cb708c0b56d8148f210b9d124fe311af5

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\913bb478-0d65-48bd-ae4b-63d65af8540f
                    Filesize

                    671B

                    MD5

                    0b6580eb113c29966669c15228bf04f5

                    SHA1

                    85d0ac0c4447fd026c000a97804f157708499979

                    SHA256

                    930fdcb52beadd3c9fbc994362fc66ae94860e7e7091fca7b6568f77f60fea03

                    SHA512

                    de4661594107e31a2dacbd7e999015056a8b53ad046eb8357cb77e63583fa793af2418fb92887f911d32ffbbb4d49a6ff39a29ade339701d76a73a6cc69253ab

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\9a3a7e1e-14c5-48fa-8121-c27c64f04e85
                    Filesize

                    23KB

                    MD5

                    6b31f8243c4d22379a12d6a747b6315f

                    SHA1

                    ac8cae681a15176b1676faaf788fd2441ba99a15

                    SHA256

                    7f652ce34eee0a05c60b3550475e7f5eff70a8003357abcad9ce4fae90768b90

                    SHA512

                    c559bfcb6780a18b528e37043c0c0a34fb6ca4375ce88645cc065ba1db0329f3d2458c46fa268ecec57bb934d08eec9ac26e27231e212ed7db7327f48a7c709a

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\prefs-1.js
                    Filesize

                    9KB

                    MD5

                    42c13583773258cf31dd5d41e800f905

                    SHA1

                    5111f7a019f9a47e664134cf06de46a0da06df06

                    SHA256

                    5feba95c72e207f9774dc7a8b823aa8b66228efa73ce8755f0c22c85c57d7b4a

                    SHA512

                    c1294be0e9421d7e0d62c7ea03e3a3d5c7cd1b1a35f8eec63bd09eaa26cf8588a309395036cc3026617de5ef672005aa03c5d5d23cc54c5cdfcdcc66a1fff387

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\prefs.js
                    Filesize

                    10KB

                    MD5

                    b493d47b3125936f47d68fc8bb19ab1e

                    SHA1

                    be0dd1ecca723644597a79ac27bf1a644ac87883

                    SHA256

                    5f664a5b37ab9c89ddbaee34d95fa4ca50e0268fefc1a36763e939d82368a7d4

                    SHA512

                    1aa501e6457093014eb5c9dece730c90f645935510190cb65b12834ead0fc449c78dd728929748a4a803f717fe4d1fbc491556baa616ecb1ee3473376c36ef3f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    384KB

                    MD5

                    585e8bef57973400aeccbcf12be93218

                    SHA1

                    04036922927a1ba00583c774484c4961a123a9d9

                    SHA256

                    c2aa3b407eca4847e0ca83dcf0b71482e24f205e24ec92979f9562fc2791a314

                    SHA512

                    cc9854d219e91140c178bc31eb4f9afaf20a2c7fe9d4f224fad887fb958b1d71c735cf8f3d42396ff4a4bfa62b024c4604e81c4f32ebab62728b7b592372388b

                    Download Submit

                  • memory/484-5-0x0000000001270000-0x0000000001291000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/484-6-0x000000006D7C0000-0x000000006D800000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/484-7-0x0000000001270000-0x0000000001291000-memory.dmp

                    Filesize

                    132KB

                    Download