strrat | ea4bceb3df15541d335307a4c24db4829bcc7a0199900f89ba4a8cc55a7cf468 | Triage

Sharing

General

Target

EA4BCEB3DF15541D335307A4C24DB4829BCC7A0199900F89BA4A8CC55A7CF468
Size

76KB
Sample

230518-cerfgahb87
MD5

f78a39cabfe10c50cbfa7fc702d40538
SHA1

0b2dcde43a772b4673c6658afa05fd23a9e25653
SHA256

ea4bceb3df15541d335307a4c24db4829bcc7a0199900f89ba4a8cc55a7cf468
SHA512

178c5fab78ecd38a08935952062105d59bb17fbe7c427d07a05dbb782f0f9c7bcad3a642dc9b40e81ba13ad48ce9e127367ff054a386b5dfcb9b98f9fa8bc3dd
SSDEEP

1536:XP2OQzCCzPAZmMvVHp5bYhsoOW3wXhrl4FgeVl9vILZEG+LtdZ7+Ao0th0:X+OQ2SPAMMvVHp5shstXhrl4FHhALZEi

Score

10^/10

strrat wshrat persistence stealer trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  ORDER-230278.jar
- Size
  
  70KB
- MD5
  
  a3ac8935c4feb0eef726668c1bd88498
- SHA1
  
  dd43d61cfdc0bcbd12c5ea4094edf8afb623b4ac
- SHA256
  
  7f5418868f6f347af4a7c7652e0d96b8fd2a1be9cd5c53b33265769e6210844f
- SHA512
  
  985f1373fbbbae84073a1853ed949898a564f1a649a25cf0ab3e89b993c47d4f978bb74b55adad1e8eba4e1bcbff3fffac9431db6a63a8bd7f4f0331bac95b6e
- SSDEEP
  
  1536:N1v9xQj4jxuA1gtPVfoySqawKXJ3zyse7isCW:T9G8jngt9HdqbeWQ
Score

10^/10

strrat persistence stealer trojan
- STRRAT
  STRRAT is a remote access tool than can steal credentials and log keystrokes.
  trojan stealer strrat
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Order-Specification.vbs
- Size
  
  289KB
- MD5
  
  ba07223a894931526fd69b0c2b21221d
- SHA1
  
  d7b63bb26abca39ef9c5ececa1a7bee5aa68cd15
- SHA256
  
  315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d
- SHA512
  
  49611e025ccaa2f79072b3a1ab53b7d3fce2c61602ab6dc03dcf2fe9af862bdcdc35c9a3475c8a89ce99cadc89c20495730c048bd23248d644dee54b9a252799
- SSDEEP
  
  384:d7QL+L0YoyzODjxosdoKF5vT8b8Qq6Pu7r7eOFDl7k7EDFh+2O0i99RVz8Jm0Jp1:4
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

strratpersistencestealertrojan

behavioral2

strratpersistencestealertrojan

behavioral3

wshratpersistencetrojan

behavioral4

wshratpersistencetrojan