strrat | 78882c274365a8fb9b0ce2402c31b4a173ea04e7645288c3a0210908533403cf | Triage

Submit
Reports

Overview

overview

Static

static

1

78882c2743...3cf.js

windows7-x64

78882c2743...3cf.js

windows10-2004-x64

Sharing

General

Target

78882c274365a8fb9b0ce2402c31b4a173ea04e7645288c3a0210908533403cf.js
Size

4.9MB
Sample

230223-nf634ahe4t
MD5

4a38e31d3ef1231427efec1bf45cd882
SHA1

e8bea5f848779e84bbb9cc0f5585a62e086fadc7
SHA256

78882c274365a8fb9b0ce2402c31b4a173ea04e7645288c3a0210908533403cf
SHA512

8449570e03218f1efaa2d31783d73fd1c74b4011e8a3d0a281dd153eddc744d1e23d19d7e875aef2df2906e5197ca4271c7b1e28be0fe036368c212b72e4c35a
SSDEEP

3072:OPcyNWe8yIe784AfkDT6sfndkHoa7Qr1Lqy/3OMEvDgzo5O2IzE1aYHgDhKXU/Wd:6TN1U

Score

10^/10

strrat vjw0rm persistence stealer trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

78882c274365a8fb9b0ce2402c31b4a173ea04e7645288c3a0210908533403cf.js

Resource

win7-20230220-en

strrat vjw0rm persistence stealer trojan worm

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

78882c274365a8fb9b0ce2402c31b4a173ea04e7645288c3a0210908533403cf.js

Resource

win10v2004-20230221-en

strrat vjw0rm persistence stealer trojan worm

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  78882c274365a8fb9b0ce2402c31b4a173ea04e7645288c3a0210908533403cf.js
- Size
  
  4.9MB
- MD5
  
  4a38e31d3ef1231427efec1bf45cd882
- SHA1
  
  e8bea5f848779e84bbb9cc0f5585a62e086fadc7
- SHA256
  
  78882c274365a8fb9b0ce2402c31b4a173ea04e7645288c3a0210908533403cf
- SHA512
  
  8449570e03218f1efaa2d31783d73fd1c74b4011e8a3d0a281dd153eddc744d1e23d19d7e875aef2df2906e5197ca4271c7b1e28be0fe036368c212b72e4c35a
- SSDEEP
  
  3072:OPcyNWe8yIe784AfkDT6sfndkHoa7Qr1Lqy/3OMEvDgzo5O2IzE1aYHgDhKXU/Wd:6TN1U
Score

10^/10

strrat vjw0rm persistence stealer trojan worm
- STRRAT
  STRRAT is a remote access tool than can steal credentials and log keystrokes.
  trojan stealer strrat
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

strratvjw0rmpersistencestealertrojanworm

behavioral2

strratvjw0rmpersistencestealertrojanworm

© 2018-2024

Terms | Privacy