Overview

overview

10

Static

static

10

14052163e5...43.exe

windows7-x64

10

14052163e5...43.exe

windows10-1703-x64

10

14052163e5...43.exe

windows10-2004-x64

10

14052163e5...43.exe

windows11-21h2-x64

10

Antimalwar...ble.js

windows7-x64

8

Antimalwar...ble.js

windows10-1703-x64

8

Antimalwar...ble.js

windows10-2004-x64

8

Antimalwar...ble.js

windows11-21h2-x64

8

EmbraTor M...et.exe

windows7-x64

1

EmbraTor M...et.exe

windows10-1703-x64

1

EmbraTor M...et.exe

windows10-2004-x64

1

EmbraTor M...et.exe

windows11-21h2-x64

1

Java Install.jar

windows7-x64

1

Java Install.jar

windows10-1703-x64

7

Java Install.jar

windows10-2004-x64

7

Java Install.jar

windows11-21h2-x64

7

MsMpEng.js

windows7-x64

10

MsMpEng.js

windows10-1703-x64

9

MsMpEng.js

windows10-2004-x64

10

MsMpEng.js

windows11-21h2-x64

10

Windows Dr...on.vbs

windows7-x64

10

Windows Dr...on.vbs

windows10-1703-x64

10

Windows Dr...on.vbs

windows10-2004-x64

10

Windows Dr...on.vbs

windows11-21h2-x64

10

Resubmissions

09-04-2024 13:34

240409-qvlrtabe9s 10

09-04-2024 13:34

240409-qvk6aabe81 10

09-04-2024 13:33

240409-qthzjabe5z 10

09-04-2024 13:33

240409-qthc1abe5y 10

07-07-2023 11:45

230707-nw632ahf6w 10

Analysis

  • max time kernel
    1188s
  • max time network
    1199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14052163e50c197697c64b143.exe

  • Size

    17.6MB

  • MD5

    14052163e50c197697c64b1431b42271

  • SHA1

    df301332faa73c3d5f915fde61df2fc9de21a61a

  • SHA256

    4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778

  • SHA512

    124f6fb9812fe56fc9428a53206e67ada7a5221bbac08204c52fc9df970a492f133ac3911b1cfd2a76c58b8921580f58b2f8d32db7395442549bdfefafc3bfab

  • SSDEEP

    393216:LOh37DR+wwmOoDxRz016TCORfagi8boLH6fQmQa9T1AE0Grq:g/FRxRzlRfPeLajLlg

Score
10/10
strratdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

strrat

C2

rar.ydns.eu:9999

svchost.ydns.eu:10000
Attributes
  • license_id

    khonsari

  • plugins_url

    http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5

  • scheduled_task

    false

  • secondary_startup

    false

  • startup

    true

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

    trojanstealerstrrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 38 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14052163e50c197697c64b143.exe
    "C:\Users\Admin\AppData\Local\Temp\14052163e50c197697c64b143.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Antimalware Service Executable.JS"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.JS"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:1576
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MsMpEng.js"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Users\Admin\AppData\Local\Temp\x.exe
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3096
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\x.exe"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\x.exe" exit)
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2204
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 0
            5⤵
            • Delays execution with timeout.exe
            PID:4772
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\ProgramData\rrrrrrrr.ps1"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3920
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Java Install.jar"
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:2044
    • C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe
      "C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    43a4363c38d9214637b5c54028b405ae

    SHA1

    6a0e1dc1403839e7cd990eeadf141972c9643399

    SHA256

    d160aa7aa671ea669b0ff99581f7011206cf977277e5e904ab566b0756c47b7c

    SHA512

    d8a8eb5a244d852f61a6b9736939cebac63480c0824d50ec3e70acd3d5428cc30f03bdfbdfe03ff190c8802b15c4301000836e1813ae3e5941495e5aeb6c7981

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Antimalware Service Executable.JS
    Filesize

    713KB

    MD5

    c958a31d5e439d5b0d01900e5a85992a

    SHA1

    fc40d0ef637fe55fbaf83e8f4891e008ac736df6

    SHA256

    e3a33757c2e596f7ee50a4a41ff58f2e64dbdb062257fe5749ca19b955b0baaf

    SHA512

    2aa0c813b7c17b01e1c18a3a12fb4f3c8ba9c9fee79a3ed66421959fd0440571e0cba5e90569970655342ce2730e823feae23ef6c5da09248f3da68fc0f3cf1c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe
    Filesize

    1012KB

    MD5

    5d57e6b8aff1ec900f553789f6796648

    SHA1

    f9a953cfe6decb237ed98c30faabec8654d99171

    SHA256

    3863d2cab19dba2988e33810d9235e0f04aee019b696e4fdf4cf637b3072b19d

    SHA512

    d66a6a97c5b3bb23df2b549af8dd6e2c201d0cdb08a2a4026bfbf831652ba5c8f133beba13f64426f1bdaf6cca83c4e54de8099ea0e02ac7a6c91f35d68f4915

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Java Install.jar
    Filesize

    92KB

    MD5

    c55f9247eb8ea19af96292f0893f86b5

    SHA1

    bd5e6884b8151114af7e45a92525893f4d2aaabd

    SHA256

    16ed7004aa68efab0eda75b3f9bff11508365a4224ef859c91f93029bc441284

    SHA512

    3efab4ee9e3c9d81efd4e2f164c0a2ae72f688cbd0068cc44a063bf4787ba65b8d2a644ac2f7704fbd059d0ba96665aeff46c2bfba820fb42df06eea7e87ccdb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MsMpEng.js
    Filesize

    24.2MB

    MD5

    690d57b0d8670391bad0876cae078bab

    SHA1

    32bea01d606128c606b71e19920099c6cb15030f

    SHA256

    b27dd5407a22c8df93090fbc1a3eb93c6461f4a279cfabd87b4b21e246bda458

    SHA512

    dd113765cd5cfeb99a98775c3c8e265463fca7863ffa519dcb7175312bbbeb4ea24ca45b4cef0320b430d413c020970346f4db671e0730e9e044cd2585f71fd4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.vbs
    Filesize

    984B

    MD5

    df00d1e54f85ae90f2f69b73a34c90f4

    SHA1

    1d3e521a8efc17334f4f578432d5af0bb1ef1951

    SHA256

    2c5907389d374ed9efb86194a7f0f954349c93a7bc67b99c3d6b59bfc0d8296c

    SHA512

    5636973f61dd7cce413049f246b5ede00c736f4ac333508a2176b65524327080e17ac97260cbe908fc2d0b18235ee6d7f7a74c808a7ceaddb9ee6518452fa618

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4r4gd1uh.xxe.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\x.exe
    Filesize

    18.1MB

    MD5

    efcd72ad2d3430248a68e5f960ed5e2b

    SHA1

    58cc7d2732f401b99926211c0dab319dfc0bba1a

    SHA256

    41686ad9f581037f44b72b37f8bee562512854fc6807c5a13ea1646cdeab61c8

    SHA512

    d50dd3628e0ed5b6040545e1a1836ffcdde30c4748b220efb7df29aa139b22b814d2466d6808c8dc3af765b9ce8092582720f69187a6562eefd6fca4cb9670e5

    Download Submit

  • memory/3096-134-0x00000000008A0000-0x0000000001AC6000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/3768-266-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-253-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-275-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-54-0x0000022434760000-0x0000022434761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3768-271-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-56-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-277-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-292-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-269-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-267-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-221-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-78-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-85-0x0000022434760000-0x0000022434761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3768-43-0x0000022434760000-0x0000022434761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3768-100-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-108-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-259-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-274-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-113-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-120-0x0000022434760000-0x0000022434761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3768-122-0x0000022434760000-0x0000022434761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3768-126-0x0000022434760000-0x0000022434761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3768-132-0x0000022434760000-0x0000022434761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3768-35-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-171-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-176-0x0000022434760000-0x0000022434761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3768-181-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-189-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-193-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-196-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-199-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-202-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3768-206-0x0000022435FD0000-0x0000022436FD0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/3920-50-0x0000000073480000-0x0000000073C30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3920-109-0x00000000066E0000-0x000000000672C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3920-106-0x0000000006570000-0x000000000658E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3920-77-0x00000000061A0000-0x00000000064F4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3920-72-0x0000000006090000-0x00000000060F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3920-75-0x0000000006130000-0x0000000006196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3920-66-0x0000000005EB0000-0x0000000005ED2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3920-48-0x0000000005110000-0x0000000005120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-46-0x0000000005110000-0x0000000005120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3920-47-0x0000000005750000-0x0000000005D78000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3920-44-0x0000000004FD0000-0x0000000005006000-memory.dmp

    Filesize

    216KB

    Download