Overview

overview

10

Static

static

1

ORDER-230278.jar

windows7-x64

10

ORDER-230278.jar

windows10-2004-x64

10

Order-Spec...on.vbs

windows7-x64

10

Order-Spec...on.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER230278.pdf.z.bin

  • Size

    76KB

  • Sample

    230505-zpjjyaeb96

  • MD5

    f78a39cabfe10c50cbfa7fc702d40538

  • SHA1

    0b2dcde43a772b4673c6658afa05fd23a9e25653

  • SHA256

    ea4bceb3df15541d335307a4c24db4829bcc7a0199900f89ba4a8cc55a7cf468

  • SHA512

    178c5fab78ecd38a08935952062105d59bb17fbe7c427d07a05dbb782f0f9c7bcad3a642dc9b40e81ba13ad48ce9e127367ff054a386b5dfcb9b98f9fa8bc3dd

  • SSDEEP

    1536:XP2OQzCCzPAZmMvVHp5bYhsoOW3wXhrl4FgeVl9vILZEG+LtdZ7+Ao0th0:X+OQ2SPAMMvVHp5shstXhrl4FHhALZEi

Score
10/10
strratwshratpersistencestealertrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      ORDER-230278.jar

    • Size

      70KB

    • MD5

      a3ac8935c4feb0eef726668c1bd88498

    • SHA1

      dd43d61cfdc0bcbd12c5ea4094edf8afb623b4ac

    • SHA256

      7f5418868f6f347af4a7c7652e0d96b8fd2a1be9cd5c53b33265769e6210844f

    • SHA512

      985f1373fbbbae84073a1853ed949898a564f1a649a25cf0ab3e89b993c47d4f978bb74b55adad1e8eba4e1bcbff3fffac9431db6a63a8bd7f4f0331bac95b6e

    • SSDEEP

      1536:N1v9xQj4jxuA1gtPVfoySqawKXJ3zyse7isCW:T9G8jngt9HdqbeWQ

    Score
    10/10
    strratpersistencestealertrojan

    • STRRAT

      STRRAT is a remote access tool than can steal credentials and log keystrokes.

      trojanstealerstrrat

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Order-Specification.vbs

    • Size

      289KB

    • MD5

      ba07223a894931526fd69b0c2b21221d

    • SHA1

      d7b63bb26abca39ef9c5ececa1a7bee5aa68cd15

    • SHA256

      315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d

    • SHA512

      49611e025ccaa2f79072b3a1ab53b7d3fce2c61602ab6dc03dcf2fe9af862bdcdc35c9a3475c8a89ce99cadc89c20495730c048bd23248d644dee54b9a252799

    • SSDEEP

      384:d7QL+L0YoyzODjxosdoKF5vT8b8Qq6Pu7r7eOFDl7k7EDFh+2O0i99RVz8Jm0Jp1:4

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks