strela | 33d92d63e2031bcde9fd355b5a9cb725e9203773cc05f1ceb87de2c08f042ac8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2025 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eagleget_setup.exe
Size

10.0MB
MD5

69f26e335a173717a64cd3b5458b9897
SHA1

7c5f488dd4da20ab7f98ef5308a358ba5a28dc6d
SHA256

33d92d63e2031bcde9fd355b5a9cb725e9203773cc05f1ceb87de2c08f042ac8
SHA512

4d2bc1dcbd77546d9fbdce56cbc14d776cd3b6c3f0ea4b15978058521d5ca8c7601e1cdfb493493ba4879287931e2b5325996ff10de2e0924c1a090deac0a712
SSDEEP

196608:oem6JZ4n1e50q+ZKxRlDnLMe3z6jy0fqMLL7o6YcN+L0OGEjuqL:oel74bq+87DnLdUbqM/k6YcNiGEjuI

Score

10^/10

strela discovery stealer

Malware Config

Signatures

Detects Strela Stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023d45-10.dat	family_strela

Strela family
strela
Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Downloads MZ/PE file 1 IoCs

flow	pid	Process
35	1528	Process not Found

Executes dropped EXE 1 IoCs

pid	Process
4228	eagleget_setup.tmp

Loads dropped DLL 4 IoCs

pid	Process
4228	eagleget_setup.tmp
4228	eagleget_setup.tmp
4228	eagleget_setup.tmp
4228	eagleget_setup.tmp

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eagleget_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eagleget_setup.tmp

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4188	MicrosoftEdgeUpdate.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2756	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4228	4072	eagleget_setup.exe	87
PID 4072 wrote to memory of 4228	4072	eagleget_setup.exe	87
PID 4072 wrote to memory of 4228	4072	eagleget_setup.exe	87
PID 4228 wrote to memory of 2756	4228	eagleget_setup.tmp	92
PID 4228 wrote to memory of 2756	4228	eagleget_setup.tmp	92
PID 4228 wrote to memory of 2756	4228	eagleget_setup.tmp	92

C:\Users\Admin\AppData\Local\Temp\eagleget_setup.exe
"C:\Users\Admin\AppData\Local\Temp\eagleget_setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\is-CNN74.tmp\eagleget_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CNN74.tmp\eagleget_setup.tmp" /SL5="$500D6,10028740,175104,C:\Users\Admin\AppData\Local\Temp\eagleget_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /f /im "net_updater32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2756

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzIwOUUwRTQtNTgyQy00RUI5LUFDQjktN0RCQkQ4MUYyNDY3fSIgdXNlcmlkPSJ7RkI5QkM5NkYtQTlGRS00M0U5LTkyNDgtNTM5NzAyMTJENDlBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTRERTRBQzAtNEM1RC00MzkxLThDOTgtOTcyQkYyM0I1NUQ5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjEzODY5NTQyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-CNN74.tmp\eagleget_setup.tmp

Filesize
1.2MB

MD5
eb42e5720e09cd014694a22c86929f5e

SHA1
b619dccd5e1deb090d8eae6c6bac5e5dae91fdfb

SHA256
4dc2d414277e497490d2009f370051298bccaa649d0a335b064269a0bb9bbbf3

SHA512
4f5ea3e32f7da75799b8067351a860f6c840dba8108c92d34d4be7d6b811140e6b2dd161ba4bd90df77dff41b74e1e85b536b3776cadb656018a1914acc3ee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\back.png

Filesize
2KB

MD5
ef9ed169ba900bc5250d0210d25619e3

SHA1
d333ee23b4441e7da0109886159f7c9e78819c5c

SHA256
806f42fddd09b24993ec053e6fdcae023e4833b371590843a498aacac20b8c7c

SHA512
042e7fef639b74e421ab456e41301dedd1a91f29795b5594eea89ee95ff6c44b3f72936e639f8671bba3874fb6f536c7ef01bc878c5e3a1bdc1e73ae2f716267

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\btn_browser.png

Filesize
2KB

MD5
8dd4f9f2c22073544694eca39c4f305d

SHA1
f7944cd8aa4f4b5233867dbdcea034a8d4be69e2

SHA256
0f6e9827ef681b88722d2013ae44fe5f8eeeaf22b6fe64904ecd0852de8197c8

SHA512
1c8708c77e8e61659ad7a903a4b5431e72532645486ca62e9b84d42f2e1fce2ebf07d17b64241656e08f32d766843dea6bc40fe7e8ff6e010201de8860a0d189

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\btn_close.png

Filesize
204B

MD5
b780d58e26ddf76733743501d00123d4

SHA1
594b7196378628bcc7107e8186e2f2f6da07ac0b

SHA256
8a6026306c1774d027022b3ee600c34b296ab8135f46c872d74c734baa239eac

SHA512
8691a1c2a00311f31224fee23803a91bc2a7597aa2ac928cfc43291b7c6cfd89bce7f7fd60d8448603b5c441ff2706f9686e1fa71c56041d0c5377eb1e14ba5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\btn_min.png

Filesize
103B

MD5
2e9c0f6a83184050751c5cb0dfae2397

SHA1
f1c3e7a900db6572ac0940b833b1ec30141bc17d

SHA256
686967328122f54acd92f85f6c162d42a8f607148f511ec4f7ab41010fc7db66

SHA512
03256bfcf0df9e390e1cfa1b4571aece489270d6c72f231db1c0a1d22b9c181a89fb2865810af217956b052eb47f34d5636edef4606074f607203358370ffc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\btn_n.png

Filesize
1KB

MD5
66deff37283bca24ea963ae3a3963b38

SHA1
6c2410db0d9d77ed8019c01d68cb9fcdfa93b330

SHA256
d9f0859f6a5648b0a9060200cc9a7534161e1b22844f631766e4e3540090790a

SHA512
706a5f2b297694f48f623ba3ab9b0cbadd4a48be9d3b619ec76cf0aadf1638134d65a8de492b869573c136665778bfe86133cb9973d47f29f95683c4bb83faa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\btn_setup.png

Filesize
4KB

MD5
212afbaedaa752a5e8957a609a0ae9f1

SHA1
73e210e0fdd3ac797e6b30bb57a17f2ddd195002

SHA256
d95a68be5109a23db0d0dff20ba3453ca69d39f48f2ae996255b84557a96881b

SHA512
b83e22c50f011f2bb42ea6936bd2b776d9371c933119a7aa19181cb2a3f7e050478c8e679410aea39ecc750b408ecf55fd927bad1234fa041a89ebd737ac5061

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\checkboxdeep.png

Filesize
351B

MD5
3f5325a8962d480ccb89be73e7e054b5

SHA1
319e2f9e1c6c681f79265f6b24606574cbbeebbc

SHA256
ecfe768ec009c8cb24edb1dd3cfe8a8e8a583fcfc90ec90442ce1c8d59241cdc

SHA512
5994ba26c4fdc4ae3a94af2e0e48e3e173c8094fa8b069bfa47b1403ba8283e2ee312f49c308eed2f0d9d244373577244c6d8e4495d4f91f8b6597fff90b4db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\license.png

Filesize
1KB

MD5
8277d98e048ba1adf360d63622f5b0bf

SHA1
0bdc270cd963b2b34e919250455062f782052a47

SHA256
9a004daa7630d4916c962e681f1a1f95db3ff476fe82272dc937f7ac200683a2

SHA512
5b8a354efe4073473a92118027b06d1fe599a422f395fbfa17ce0bf5c3a0cb94c7bfadb1c324e66829ad478e1561200259d32d05514fbaa22f6bbc3a90a8579a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\util.dll

Filesize
1020KB

MD5
ff4feaf7b5a9ac2f170be9100e3d545d

SHA1
1ec232776aab63dbc6c5e60f78956bbf08ce5d46

SHA256
98e42f53f795c03b180e2750d14c1a77bfd9078f7663d35886af91b92d5487a2

SHA512
93d3efa7f6fbbfa474e4172f7e422a6aa349efba280db593ac61a2d298607f2e1dc716b3c04ab5809de2bf36f6f4dab2449332f80a26cdb09ffe9015325859e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCG0C.tmp\xy.png

Filesize
11KB

MD5
e92f3fbf3876c4044722fd975281b3ff

SHA1
d92877cad872663616a48f25af291e8bffb246aa

SHA256
31137ad0ef19381e1778eb89b6cb9f70a9ee5244ad943ad494e1e57b18b48ab7

SHA512
46fdb373fe54ecf762adcba6a08a0e2e67080d97931fe1407d4f60b74921d9ef7d38ec7104271805635a015ba5230a09e16de60010aecc5c404ae376efddfac7

Download Submit
memory/4072-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4072-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4072-106-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4228-56-0x0000000007500000-0x000000000750E000-memory.dmp

Filesize
56KB

Download
memory/4228-7-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/4228-107-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/4228-108-0x0000000007500000-0x000000000750E000-memory.dmp

Filesize
56KB

Download
memory/4228-114-0x0000000007500000-0x000000000750E000-memory.dmp

Filesize
56KB

Download