strrat | c5efeacdeadcc98e8194c98b92a0a8d385f70a3b76bc32a85d90782b2721425f | Triage

Sharing

General

Target

ShippingDoc.jar
Size

166KB
Sample

201118-8cwkg4vaha
MD5

335c639a4ea7c94f9c53d1e793f08f45
SHA1

d4d26a79b9c0e80b2ecee65f850f6fed21cbbaa2
SHA256

c5efeacdeadcc98e8194c98b92a0a8d385f70a3b76bc32a85d90782b2721425f
SHA512

587282a10f3e2dbd16a2f18b45686b4701e30110f561babe677c6bc795ecc40b6479d3b54bb4cb69c0117eb63ba251d3531621745f6a601aa5699e1fb18a07f2

Score

10^/10

strrat persistence stealer trojan

Malware Config

Targets

- Target
  
  ShippingDoc.jar
- Size
  
  166KB
- MD5
  
  335c639a4ea7c94f9c53d1e793f08f45
- SHA1
  
  d4d26a79b9c0e80b2ecee65f850f6fed21cbbaa2
- SHA256
  
  c5efeacdeadcc98e8194c98b92a0a8d385f70a3b76bc32a85d90782b2721425f
- SHA512
  
  587282a10f3e2dbd16a2f18b45686b4701e30110f561babe677c6bc795ecc40b6479d3b54bb4cb69c0117eb63ba251d3531621745f6a601aa5699e1fb18a07f2
Score

10^/10

strrat persistence stealer trojan
- STRRAT
  STRRAT is a remote access tool than can steal credentials and log keystrokes.
  trojan stealer strrat
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

strratpersistencestealertrojan