Recent Strelastealer Infection Chain Involves Decoy Pdf Files

    Tuesday, February 11, 2025 In: Threat Research Print

    Date: 02/11/2025

    Severity: High

    Summary

    Recent StrelaStealer activity continues leveraging WebDAV servers to distribute malware. Since late January 2025, decoy PDF files have been observed during the infection process. The WebDAV and C2 server at 193.143.1[.]205 remains active, hosting both the decoy PDF and StrelaStealer malware as of February 10, 2025. While the decoy PDF itself is not malicious, it features a blurred image to mislead victims. The malicious .js files execute only if the victim's Windows system is set to the following German-speaking languages or locales: Austria, Germany, Liechtenstein, Luxembourg, or Switzerland.

    Indicators of Compromise (IOC) List

    IP Address : 

    193.143.1.205

    Hash : 

    0237c0247632a2ea8d80bb1a3398f1ba9b8f7704af70113e8fa0bbe688550ea1

0d11f84e614c5394218abcfde06dc0ca4befb4d4527ec38a009e9bd78a0a403c 

3ea9961f6b11e3fd9f09e76819ab7083f1ad924d5fbd543b466c467880e943d4 

3fa21cc2a8b3548d82f432e4498b867f774083a879c91056afa0d0b1116d8af3

4adf4847c92046a65f51a2f0886f6c97a27e4fd73e0bf3a6d7778b500f40c4a7

4f512c879ae57917208596543e039012e13588437e106c1986c25428ae6aa58a

526f99634031b5220df204148aaeaf4a105c927a9623eff4e0e6eab2fec470e6

56ddf2bcd35791d353cccb64f2b03b4e30d62fbf64408a53fb081acb229e7bb1

57a98c713f1b54cf2a15f03abd827361ba03f94ce04668558f5a3987a1f47dc6

7e4939b5a3f45a6deca1e52fb1570a41a64eab4100819be1ce277ff05869527d

023fe721b61eb902dde8e89cf1d2d9a9a90a9e3016c36836f3f96eb0846e0e4f

18f2f23775a128b26139cf373373890d7165049600af5f3da6776a04c991f82f

2e76869289964a9025f8dc20c9f4ce0c341a7b0305c3906e717c812af4efff88

36d1eeb02cd95376360a2bb64fbd531f57a5ad1e496f1a28f9d6f8d1b30150da

3d90244755ddc949ba4a46ba01dc8157dbe0ffa96aab27a43fca4e2f2f7960ce

9f418f7c66d036b02047f0e99a86647e406f97457ba5ff05aa8c6774e2156166

b83bc3ea84a1dfa72e46905e8fe63d8102e67866be40d0f74aa25cba6467765e

b85724ef6d750864422bae530864a6a77c7616d2dc291da74c1fc41e23ece6c3

bd7d9850ab56ea616b6762e736adbfc12809cdfd18525b0eb79712be7317200c

cf7ebeeab3c143444a761b8aff25ee9cf3bb498927004e27cfe33fb7eee75c93

915c9d78cf65c4be89eda22e5f03d44d6a593bc4be02fa816871d8ee398ca8fa

fc3518d746cdb3738da976551795b9727619f41f89ac0641533126e2f69b969a

0e8e0a57a3cc02c8666378463e1bde1697c3e6bb14e5b773f644e06ea05ab41c

cc773750eff260dc5396f878e3a61f5a79689e0078e8b679b3152f7af027a429

f3677f29dee7338da89321564757caa15ce0c50f85540977b7470bf3a6ca0d2c

2e76869289964a9025f8dc20c9f4ce0c341a7b0305c3906e717c812af4efff88

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address : 

    dstipaddress like "193.143.1.205" or ipaddress like "193.143.1.205" or publicipaddress like "193.143.1.205" or srcipaddress like "193.143.1.205"

    Hash : 

    sha256hash IN ("3d90244755ddc949ba4a46ba01dc8157dbe0ffa96aab27a43fca4e2f2f7960ce","cc773750eff260dc5396f878e3a61f5a79689e0078e8b679b3152f7af027a429","57a98c713f1b54cf2a15f03abd827361ba03f94ce04668558f5a3987a1f47dc6","0e8e0a57a3cc02c8666378463e1bde1697c3e6bb14e5b773f644e06ea05ab41c","cf7ebeeab3c143444a761b8aff25ee9cf3bb498927004e27cfe33fb7eee75c93","3ea9961f6b11e3fd9f09e76819ab7083f1ad924d5fbd543b466c467880e943d4","f3677f29dee7338da89321564757caa15ce0c50f85540977b7470bf3a6ca0d2c","b85724ef6d750864422bae530864a6a77c7616d2dc291da74c1fc41e23ece6c3","18f2f23775a128b26139cf373373890d7165049600af5f3da6776a04c991f82f","56ddf2bcd35791d353cccb64f2b03b4e30d62fbf64408a53fb081acb229e7bb1","4f512c879ae57917208596543e039012e13588437e106c1986c25428ae6aa58a","526f99634031b5220df204148aaeaf4a105c927a9623eff4e0e6eab2fec470e6","2e76869289964a9025f8dc20c9f4ce0c341a7b0305c3906e717c812af4efff88","bd7d9850ab56ea616b6762e736adbfc12809cdfd18525b0eb79712be7317200c","b83bc3ea84a1dfa72e46905e8fe63d8102e67866be40d0f74aa25cba6467765e","0d11f84e614c5394218abcfde06dc0ca4befb4d4527ec38a009e9bd78a0a403c","0237c0247632a2ea8d80bb1a3398f1ba9b8f7704af70113e8fa0bbe688550ea1","3fa21cc2a8b3548d82f432e4498b867f774083a879c91056afa0d0b1116d8af3","36d1eeb02cd95376360a2bb64fbd531f57a5ad1e496f1a28f9d6f8d1b30150da","4adf4847c92046a65f51a2f0886f6c97a27e4fd73e0bf3a6d7778b500f40c4a7","7e4939b5a3f45a6deca1e52fb1570a41a64eab4100819be1ce277ff05869527d","023fe721b61eb902dde8e89cf1d2d9a9a90a9e3016c36836f3f96eb0846e0e4f","9f418f7c66d036b02047f0e99a86647e406f97457ba5ff05aa8c6774e2156166","915c9d78cf65c4be89eda22e5f03d44d6a593bc4be02fa816871d8ee398ca8fa","fc3518d746cdb3738da976551795b9727619f41f89ac0641533126e2f69b969a")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-10-IOCs-for-StrelaStealer-activity.txt


    Tags

    MalwareStrelaStealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.