strela | a2e6bd6582e3002fbd8230007f23047fcacd7ddc071a287e42f54cf4572db5fe

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

slopewell-offculturedairplane.bat
Size

403KB
MD5

41447efea024e6158c5711c4982af676
SHA1

b52c1b3849249cc0504b82833c8610b4167cd0b1
SHA256

a2e6bd6582e3002fbd8230007f23047fcacd7ddc071a287e42f54cf4572db5fe
SHA512

d5a29e3b264672b33049984030443f505b573137636420c9b29ddf258a118cb1089caa859ce8f89da2cc1d37607fc8454a19385b77926ea793a6c8c9f77ead1b
SSDEEP

6144:SNGQJKf11ZZewEP7eXGON4FhDGTcJoBY1zWi9qgsgUpQ47GK+:SZKd7ZewaON4FhDGTcJk7i9xbUc

Score

10^/10

strela defense_evasion stealer

Malware Config

Extracted

Family

strela

193.109.85.77

Attributes

url_path
/server.php
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537

Signatures

Detects Strela Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/2088-5-0x00000000001C0000-0x00000000001E1000-memory.dmp	family_strela
behavioral1/memory/2088-7-0x00000000001C0000-0x00000000001E1000-memory.dmp	family_strela
behavioral1/memory/2088-6-0x000000006D7C0000-0x000000006D800000-memory.dmp	family_strela

Strela family
strela
Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Loads dropped DLL 1 IoCs

pid	Process
2088	regsvr32.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
1240	certutil.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2088	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2400	2692	cmd.exe	31
PID 2692 wrote to memory of 2400	2692	cmd.exe	31
PID 2692 wrote to memory of 2400	2692	cmd.exe	31
PID 2692 wrote to memory of 1240	2692	cmd.exe	32
PID 2692 wrote to memory of 1240	2692	cmd.exe	32
PID 2692 wrote to memory of 1240	2692	cmd.exe	32
PID 2692 wrote to memory of 2088	2692	cmd.exe	33
PID 2692 wrote to memory of 2088	2692	cmd.exe	33
PID 2692 wrote to memory of 2088	2692	cmd.exe	33
PID 2692 wrote to memory of 2088	2692	cmd.exe	33
PID 2692 wrote to memory of 2088	2692	cmd.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\slopewell-offculturedairplane.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\findstr.exe
  findstr /V officebaiteggsexpect "C:\Users\Admin\AppData\Local\Temp\slopewell-offculturedairplane.bat"
  2⤵
  PID:2400
- C:\Windows\system32\certutil.exe
  certutil -f -decode advicediscoverjeansupbeat energeticliverelyamused.dll
  2⤵
  - Deobfuscate/Decode Files or Information
  PID:1240
- C:\Windows\system32\regsvr32.exe
  regsvr32 energeticliverelyamused.dll
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\advicediscoverjeansupbeat

Filesize
303KB

MD5
3de4c4dddf82847e0418a9d1390a7d05

SHA1
6f00c75e9edc101872f3619f2906e2647335e1b2

SHA256
2d3612d43407870a6d59beebae4f726d9cbcef2127f600facda949251fcefcc7

SHA512
8ab0ccaf715b37c8c180a3bab37584513c37edf734ce58a3a901fc8c13f823be42d062f2d85a3aac3fe7f28f4ab0158c198e89946f7d0b59f40e44b3ebb4f4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\energeticliverelyamused.dll

Filesize
227KB

MD5
b87b94262e7ee819933cc0ed51cf665c

SHA1
0094d6ead5447d3e74f6c08a03d65b8ed47b2bde

SHA256
e534b69015fec9196a1cbd77664b40f8ac474385c06ed2385321417b7c1b26a4

SHA512
d05a9d48f612ef88f43f84da351dfce73f3c7c2c536b4e5512d4449288a478b5102e572266efdbf0c0f70e4bdbd1561b2c040e4a6306e27f9f7f01fa562ec1a9

Download Submit
memory/2088-5-0x00000000001C0000-0x00000000001E1000-memory.dmp

Filesize
132KB

Download
memory/2088-7-0x00000000001C0000-0x00000000001E1000-memory.dmp

Filesize
132KB

Download
memory/2088-6-0x000000006D7C0000-0x000000006D800000-memory.dmp

Filesize
256KB

Download