{"description": "Enterprise techniques used by StrelaStealer, ATT&CK software S1183 (v1.0)", "name": "StrelaStealer (S1183)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) communicates externally via HTTP POST with encrypted content.(Citation: DCSO StrelaStealer 2022)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) attempts to identify and collect mail login data from Thunderbird and Outlook following execution.(Citation: DCSO StrelaStealer 2022)(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) automatically sends gathered email credentials following collection to command and control servers via HTTP POST.(Citation: DCSO StrelaStealer 2022)(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) variants have used PowerShell scripts to download or drop payloads, including obfuscated variants to connect to a WebDAV server to download and executed an encrypted DLL for installation.(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) has included BAT files in some instances for installation.(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) has been distributed as a malicious JavaScript object.(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) utilizes a hard-coded XOR key to encrypt the content of HTTP POST requests to command and control infrastructure.(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) encrypts the payload of HTTP POST communications using the same XOR key used for the malware's DLL payload.(Citation: DCSO StrelaStealer 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1622", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) variants include functionality to identify and evade debuggers.(Citation: Fortgale StrelaStealer 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) payloads have included strings encrypted via XOR.(Citation: DCSO StrelaStealer 2022) [StrelaStealer](https://attack.mitre.org/software/S1183) JavaScript payloads utilize Base64-encoded payloads that are decoded via [certutil](https://attack.mitre.org/software/S0160) to create a malicious DLL file.(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) variants only execute if the keyboard layout or language matches a set list of variables.(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) variants include the use of mutex values based on the victim system name to prevent reinfection.(Citation: Fortgale StrelaStealer 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) exfiltrates collected email credentials via HTTP POST to command and control servers.(Citation: DCSO StrelaStealer 2022)(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) has sideloaded a DLL payload using a renamed, legitimate `msinfo32.exe` executable.(Citation: DCSO StrelaStealer 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) installers have used obfuscated PowerShell scripts to retrieve follow-on payloads from WebDAV servers.(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) PE executable payloads have used uncommon but legitimate extensions such as `.com` instead of `.exe`.(Citation: IBM StrelaStealer 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.003", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) has used a renamed, legitimate `msinfo32.exe` executable to sideload the [StrelaStealer](https://attack.mitre.org/software/S1183) payload during initial installation.(Citation: DCSO StrelaStealer 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) payloads have tailored filenames to include names identical to the name of the targeted organization or company.(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) has been distributed as a DLL/HTML polyglot file.(Citation: DCSO StrelaStealer 2022)(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) has been distributed in ISO archives.(Citation: DCSO StrelaStealer 2022) [StrelaStealer](https://attack.mitre.org/software/S1183) has been delivered in encrypted, password-protected ZIP archives.(Citation: IBM StrelaStealer 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) variants have used packers to obfuscate payloads and make analysis more difficult.(Citation: PaloAlto StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) uses XOR-encoded strings to obfuscate items.(Citation: DCSO StrelaStealer 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) has been delivered via JScript files in a ZIP archive.(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) variants have included excessive mathematical functions padding the binary and slowing execution for anti-analysis and sandbox evasion purposes.(Citation: Fortgale StrelaStealer 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) has been distributed as a spearphishing attachment.(Citation: DCSO StrelaStealer 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) variants use COM objects to enumerate installed applications from the \"AppsFolder\" on victim machines.(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) variants have used valid code signing certificates.(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) DLL payloads have been executed via `rundll32.exe`.(Citation: PaloAlto StrelaStealer 2024)(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) variants collect victim system information for exfiltration.(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) variants check system language settings via keyboard layout or similar mechanisms.(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) searches for and if found collects the contents of files such as `logins.json` and `key4.db` in the `$APPDATA%\\Thunderbird\\Profiles\\` directory, associated with the Thunderbird email application.(Citation: DCSO StrelaStealer 2022)(Citation: Fortgale StrelaStealer 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.002", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) enumerates the registry key `HKCU\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\` to identify the values for \"IMAP User,\" \"IMAP Server,\" and \"IMAP Password\" associated with the Outlook email application.(Citation: DCSO StrelaStealer 2022)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) relies on user execution of a malicious file for installation.(Citation: DCSO StrelaStealer 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "comment": "[StrelaStealer](https://attack.mitre.org/software/S1183) payloads have used control flow obfuscation techniques such as excessively long code blocks of mathematical instructions to defeat sandboxing and related analysis methods.(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by StrelaStealer", "color": "#66b1ff"}]}