Malware Analysis Report

2025-04-14 05:16

Sample ID 250316-bcpcnaxtcz
Target eagleget-2-1-6-50.zip
SHA256 c9712b8a5fdccf546dd56a485ead0e1558bc087c4da11caae93182dcc99294da
Tags
strela discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9712b8a5fdccf546dd56a485ead0e1558bc087c4da11caae93182dcc99294da

Threat Level: Known bad

The file eagleget-2-1-6-50.zip was found to be: Known bad.

Malicious Activity Summary

strela discovery stealer

Strela family

Detects Strela Stealer payload

Strela stealer

Loads dropped DLL

Executes dropped EXE

System Location Discovery: System Language Discovery

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-16 01:00

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-16 01:00

Reported

2025-03-16 01:03

Platform

win10v2004-20250314-en

Max time kernel

141s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe"

Signatures

Detects Strela Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Strela family

strela

Strela stealer

stealer strela

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-F0BC3.tmp\eagleget-2-1-6-50.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-F0BC3.tmp\eagleget-2-1-6-50.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe

"C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe"

C:\Users\Admin\AppData\Local\Temp\is-F0BC3.tmp\eagleget-2-1-6-50.tmp

"C:\Users\Admin\AppData\Local\Temp\is-F0BC3.tmp\eagleget-2-1-6-50.tmp" /SL5="$501F0,9993427,175104,C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "net_updater32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp

Files

memory/3652-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3652-2-0x0000000000401000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-F0BC3.tmp\eagleget-2-1-6-50.tmp

MD5 eb42e5720e09cd014694a22c86929f5e
SHA1 b619dccd5e1deb090d8eae6c6bac5e5dae91fdfb
SHA256 4dc2d414277e497490d2009f370051298bccaa649d0a335b064269a0bb9bbbf3
SHA512 4f5ea3e32f7da75799b8067351a860f6c840dba8108c92d34d4be7d6b811140e6b2dd161ba4bd90df77dff41b74e1e85b536b3776cadb656018a1914acc3ee2f

memory/212-7-0x0000000000400000-0x000000000054E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\util.dll

MD5 192c98cb51f39be053ad5c7e029e75f8
SHA1 2fbb285edc39d51a0e56a7ef996c9f67c4b1a015
SHA256 a2ef6b8fbf44bc77631d5635b8abedf90db5903b94618753168f5a904ebc5f60
SHA512 4b810f8861d037e3581fadb17a7a22f29648eb651d9bbd2827167fdce94975a5eef25d899009286ce6636a59732b6728510b6f9e151ea2d026f764dd1fd5bf2e

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\botva2.dll

MD5 0177746573eed407f8dca8a9e441aa49
SHA1 6b462adf78059d26cbc56b3311e3b97fcb8d05f7
SHA256 a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008
SHA512 d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

memory/212-56-0x00000000034D0000-0x00000000034DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\btn_close.png

MD5 b780d58e26ddf76733743501d00123d4
SHA1 594b7196378628bcc7107e8186e2f2f6da07ac0b
SHA256 8a6026306c1774d027022b3ee600c34b296ab8135f46c872d74c734baa239eac
SHA512 8691a1c2a00311f31224fee23803a91bc2a7597aa2ac928cfc43291b7c6cfd89bce7f7fd60d8448603b5c441ff2706f9686e1fa71c56041d0c5377eb1e14ba5c

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\CallbackCtrl.dll

MD5 f07e819ba2e46a897cfabf816d7557b2
SHA1 8d5fd0a741dd3fd84650e40dd3928ae1f15323cc
SHA256 68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d
SHA512 7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\btn_min.png

MD5 2e9c0f6a83184050751c5cb0dfae2397
SHA1 f1c3e7a900db6572ac0940b833b1ec30141bc17d
SHA256 686967328122f54acd92f85f6c162d42a8f607148f511ec4f7ab41010fc7db66
SHA512 03256bfcf0df9e390e1cfa1b4571aece489270d6c72f231db1c0a1d22b9c181a89fb2865810af217956b052eb47f34d5636edef4606074f607203358370ffc90

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\btn_setup.png

MD5 212afbaedaa752a5e8957a609a0ae9f1
SHA1 73e210e0fdd3ac797e6b30bb57a17f2ddd195002
SHA256 d95a68be5109a23db0d0dff20ba3453ca69d39f48f2ae996255b84557a96881b
SHA512 b83e22c50f011f2bb42ea6936bd2b776d9371c933119a7aa19181cb2a3f7e050478c8e679410aea39ecc750b408ecf55fd927bad1234fa041a89ebd737ac5061

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\back.png

MD5 ef9ed169ba900bc5250d0210d25619e3
SHA1 d333ee23b4441e7da0109886159f7c9e78819c5c
SHA256 806f42fddd09b24993ec053e6fdcae023e4833b371590843a498aacac20b8c7c
SHA512 042e7fef639b74e421ab456e41301dedd1a91f29795b5594eea89ee95ff6c44b3f72936e639f8671bba3874fb6f536c7ef01bc878c5e3a1bdc1e73ae2f716267

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\btn_browser.png

MD5 8dd4f9f2c22073544694eca39c4f305d
SHA1 f7944cd8aa4f4b5233867dbdcea034a8d4be69e2
SHA256 0f6e9827ef681b88722d2013ae44fe5f8eeeaf22b6fe64904ecd0852de8197c8
SHA512 1c8708c77e8e61659ad7a903a4b5431e72532645486ca62e9b84d42f2e1fce2ebf07d17b64241656e08f32d766843dea6bc40fe7e8ff6e010201de8860a0d189

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\btn_n.png

MD5 66deff37283bca24ea963ae3a3963b38
SHA1 6c2410db0d9d77ed8019c01d68cb9fcdfa93b330
SHA256 d9f0859f6a5648b0a9060200cc9a7534161e1b22844f631766e4e3540090790a
SHA512 706a5f2b297694f48f623ba3ab9b0cbadd4a48be9d3b619ec76cf0aadf1638134d65a8de492b869573c136665778bfe86133cb9973d47f29f95683c4bb83faa6

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\xy.png

MD5 e92f3fbf3876c4044722fd975281b3ff
SHA1 d92877cad872663616a48f25af291e8bffb246aa
SHA256 31137ad0ef19381e1778eb89b6cb9f70a9ee5244ad943ad494e1e57b18b48ab7
SHA512 46fdb373fe54ecf762adcba6a08a0e2e67080d97931fe1407d4f60b74921d9ef7d38ec7104271805635a015ba5230a09e16de60010aecc5c404ae376efddfac7

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\license.png

MD5 8277d98e048ba1adf360d63622f5b0bf
SHA1 0bdc270cd963b2b34e919250455062f782052a47
SHA256 9a004daa7630d4916c962e681f1a1f95db3ff476fe82272dc937f7ac200683a2
SHA512 5b8a354efe4073473a92118027b06d1fe599a422f395fbfa17ce0bf5c3a0cb94c7bfadb1c324e66829ad478e1561200259d32d05514fbaa22f6bbc3a90a8579a

C:\Users\Admin\AppData\Local\Temp\is-24FEO.tmp\checkboxdeep.png

MD5 3f5325a8962d480ccb89be73e7e054b5
SHA1 319e2f9e1c6c681f79265f6b24606574cbbeebbc
SHA256 ecfe768ec009c8cb24edb1dd3cfe8a8e8a583fcfc90ec90442ce1c8d59241cdc
SHA512 5994ba26c4fdc4ae3a94af2e0e48e3e173c8094fa8b069bfa47b1403ba8283e2ee312f49c308eed2f0d9d244373577244c6d8e4495d4f91f8b6597fff90b4db1

memory/3652-106-0x0000000000400000-0x0000000000436000-memory.dmp

memory/212-108-0x00000000034D0000-0x00000000034DE000-memory.dmp

memory/212-107-0x0000000000400000-0x000000000054E000-memory.dmp

memory/212-114-0x00000000034D0000-0x00000000034DE000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-16 01:00

Reported

2025-03-16 01:03

Platform

win7-20240903-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe"

Signatures

Detects Strela Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Strela family

strela

Strela stealer

stealer strela

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EAAQT.tmp\eagleget-2-1-6-50.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-EAAQT.tmp\eagleget-2-1-6-50.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe

"C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe"

C:\Users\Admin\AppData\Local\Temp\is-EAAQT.tmp\eagleget-2-1-6-50.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EAAQT.tmp\eagleget-2-1-6-50.tmp" /SL5="$4001C,9993427,175104,C:\Users\Admin\AppData\Local\Temp\eagleget-2-1-6-50.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im "net_updater32.exe"

Network

N/A

Files

memory/2524-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2524-2-0x0000000000401000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-EAAQT.tmp\eagleget-2-1-6-50.tmp

MD5 eb42e5720e09cd014694a22c86929f5e
SHA1 b619dccd5e1deb090d8eae6c6bac5e5dae91fdfb
SHA256 4dc2d414277e497490d2009f370051298bccaa649d0a335b064269a0bb9bbbf3
SHA512 4f5ea3e32f7da75799b8067351a860f6c840dba8108c92d34d4be7d6b811140e6b2dd161ba4bd90df77dff41b74e1e85b536b3776cadb656018a1914acc3ee2f

memory/2536-8-0x0000000000400000-0x000000000054E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\util.dll

MD5 192c98cb51f39be053ad5c7e029e75f8
SHA1 2fbb285edc39d51a0e56a7ef996c9f67c4b1a015
SHA256 a2ef6b8fbf44bc77631d5635b8abedf90db5903b94618753168f5a904ebc5f60
SHA512 4b810f8861d037e3581fadb17a7a22f29648eb651d9bbd2827167fdce94975a5eef25d899009286ce6636a59732b6728510b6f9e151ea2d026f764dd1fd5bf2e

\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\botva2.dll

MD5 0177746573eed407f8dca8a9e441aa49
SHA1 6b462adf78059d26cbc56b3311e3b97fcb8d05f7
SHA256 a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008
SHA512 d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

memory/2536-54-0x0000000002000000-0x000000000200E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\btn_close.png

MD5 b780d58e26ddf76733743501d00123d4
SHA1 594b7196378628bcc7107e8186e2f2f6da07ac0b
SHA256 8a6026306c1774d027022b3ee600c34b296ab8135f46c872d74c734baa239eac
SHA512 8691a1c2a00311f31224fee23803a91bc2a7597aa2ac928cfc43291b7c6cfd89bce7f7fd60d8448603b5c441ff2706f9686e1fa71c56041d0c5377eb1e14ba5c

C:\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\back.png

MD5 ef9ed169ba900bc5250d0210d25619e3
SHA1 d333ee23b4441e7da0109886159f7c9e78819c5c
SHA256 806f42fddd09b24993ec053e6fdcae023e4833b371590843a498aacac20b8c7c
SHA512 042e7fef639b74e421ab456e41301dedd1a91f29795b5594eea89ee95ff6c44b3f72936e639f8671bba3874fb6f536c7ef01bc878c5e3a1bdc1e73ae2f716267

C:\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\btn_browser.png

MD5 8dd4f9f2c22073544694eca39c4f305d
SHA1 f7944cd8aa4f4b5233867dbdcea034a8d4be69e2
SHA256 0f6e9827ef681b88722d2013ae44fe5f8eeeaf22b6fe64904ecd0852de8197c8
SHA512 1c8708c77e8e61659ad7a903a4b5431e72532645486ca62e9b84d42f2e1fce2ebf07d17b64241656e08f32d766843dea6bc40fe7e8ff6e010201de8860a0d189

C:\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\btn_setup.png

MD5 212afbaedaa752a5e8957a609a0ae9f1
SHA1 73e210e0fdd3ac797e6b30bb57a17f2ddd195002
SHA256 d95a68be5109a23db0d0dff20ba3453ca69d39f48f2ae996255b84557a96881b
SHA512 b83e22c50f011f2bb42ea6936bd2b776d9371c933119a7aa19181cb2a3f7e050478c8e679410aea39ecc750b408ecf55fd927bad1234fa041a89ebd737ac5061

C:\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\btn_min.png

MD5 2e9c0f6a83184050751c5cb0dfae2397
SHA1 f1c3e7a900db6572ac0940b833b1ec30141bc17d
SHA256 686967328122f54acd92f85f6c162d42a8f607148f511ec4f7ab41010fc7db66
SHA512 03256bfcf0df9e390e1cfa1b4571aece489270d6c72f231db1c0a1d22b9c181a89fb2865810af217956b052eb47f34d5636edef4606074f607203358370ffc90

C:\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\btn_n.png

MD5 66deff37283bca24ea963ae3a3963b38
SHA1 6c2410db0d9d77ed8019c01d68cb9fcdfa93b330
SHA256 d9f0859f6a5648b0a9060200cc9a7534161e1b22844f631766e4e3540090790a
SHA512 706a5f2b297694f48f623ba3ab9b0cbadd4a48be9d3b619ec76cf0aadf1638134d65a8de492b869573c136665778bfe86133cb9973d47f29f95683c4bb83faa6

\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\CallbackCtrl.dll

MD5 f07e819ba2e46a897cfabf816d7557b2
SHA1 8d5fd0a741dd3fd84650e40dd3928ae1f15323cc
SHA256 68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d
SHA512 7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

C:\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\xy.png

MD5 e92f3fbf3876c4044722fd975281b3ff
SHA1 d92877cad872663616a48f25af291e8bffb246aa
SHA256 31137ad0ef19381e1778eb89b6cb9f70a9ee5244ad943ad494e1e57b18b48ab7
SHA512 46fdb373fe54ecf762adcba6a08a0e2e67080d97931fe1407d4f60b74921d9ef7d38ec7104271805635a015ba5230a09e16de60010aecc5c404ae376efddfac7

C:\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\checkboxdeep.png

MD5 3f5325a8962d480ccb89be73e7e054b5
SHA1 319e2f9e1c6c681f79265f6b24606574cbbeebbc
SHA256 ecfe768ec009c8cb24edb1dd3cfe8a8e8a583fcfc90ec90442ce1c8d59241cdc
SHA512 5994ba26c4fdc4ae3a94af2e0e48e3e173c8094fa8b069bfa47b1403ba8283e2ee312f49c308eed2f0d9d244373577244c6d8e4495d4f91f8b6597fff90b4db1

C:\Users\Admin\AppData\Local\Temp\is-SL4R0.tmp\license.png

MD5 8277d98e048ba1adf360d63622f5b0bf
SHA1 0bdc270cd963b2b34e919250455062f782052a47
SHA256 9a004daa7630d4916c962e681f1a1f95db3ff476fe82272dc937f7ac200683a2
SHA512 5b8a354efe4073473a92118027b06d1fe599a422f395fbfa17ce0bf5c3a0cb94c7bfadb1c324e66829ad478e1561200259d32d05514fbaa22f6bbc3a90a8579a

memory/2524-102-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2536-104-0x0000000002000000-0x000000000200E000-memory.dmp

memory/2536-103-0x0000000000400000-0x000000000054E000-memory.dmp