Overview

overview

10

Static

static

1

ORDER-230278.jar

windows7-x64

10

ORDER-230278.jar

windows10-2004-x64

10

Order-Spec...on.vbs

windows7-x64

10

Order-Spec...on.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ea4bceb3df15541d335307a4c24db4829bcc7a0199900f89ba4a8cc55a7cf468.zip

  • Size

    76KB

  • Sample

    230502-z2k9asce94

  • MD5

    97d3e980d4e5ecbc81de299fa1b1d6bb

  • SHA1

    2be1c208c94213ce5a64da7e26c98c31edd0f071

  • SHA256

    77374653962a47425ed0b6f2ca6444469a2870be1155227c8a11d96c25357820

  • SHA512

    a64cd87d3319d4cce41e7a183e4ca194d850a6390ff449118d1412d706c93619199089817f4d79f55f3b906016aae399ed4815c79bd249055010ceb38699158e

  • SSDEEP

    1536:KNCOX6WoLJZfhF3WI7EbSJb3Od8CPWpyWl1KjilJLk1hKUd7NXDfOwT4C:KYVLHZF3WheJb3Od8CPMyf2b0bjOUp

Score
10/10
strratwshratpersistencestealertrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      ORDER-230278.jar

    • Size

      70KB

    • MD5

      a3ac8935c4feb0eef726668c1bd88498

    • SHA1

      dd43d61cfdc0bcbd12c5ea4094edf8afb623b4ac

    • SHA256

      7f5418868f6f347af4a7c7652e0d96b8fd2a1be9cd5c53b33265769e6210844f

    • SHA512

      985f1373fbbbae84073a1853ed949898a564f1a649a25cf0ab3e89b993c47d4f978bb74b55adad1e8eba4e1bcbff3fffac9431db6a63a8bd7f4f0331bac95b6e

    • SSDEEP

      1536:N1v9xQj4jxuA1gtPVfoySqawKXJ3zyse7isCW:T9G8jngt9HdqbeWQ

    Score
    10/10
    strratpersistencestealertrojan

    • STRRAT

      STRRAT is a remote access tool than can steal credentials and log keystrokes.

      trojanstealerstrrat

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Order-Specification.vbs

    • Size

      289KB

    • MD5

      ba07223a894931526fd69b0c2b21221d

    • SHA1

      d7b63bb26abca39ef9c5ececa1a7bee5aa68cd15

    • SHA256

      315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d

    • SHA512

      49611e025ccaa2f79072b3a1ab53b7d3fce2c61602ab6dc03dcf2fe9af862bdcdc35c9a3475c8a89ce99cadc89c20495730c048bd23248d644dee54b9a252799

    • SSDEEP

      384:d7QL+L0YoyzODjxosdoKF5vT8b8Qq6Pu7r7eOFDl7k7EDFh+2O0i99RVz8Jm0Jp1:4

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks