strrat | 3cdadd4d8492cfe342f9f74529566ed6c1b451ba669509b59ffaf2965bce0750 | Triage

Resubmissions

09-08-2024 08:38

240809-kjxr2sycnr 10

27-07-2020 18:35

200727-l5jrnfh3sx 8

Sharing

General

Target

ACCORD POUR COMMISSION A PRELEVER.PDF.vbs
Size

246KB
Sample

240809-kjxr2sycnr
MD5

6b23cda6ddc86713d63e5b6bb853a909
SHA1

7c12556e23a5b283846572fc9a1d70b01d306c1d
SHA256

3cdadd4d8492cfe342f9f74529566ed6c1b451ba669509b59ffaf2965bce0750
SHA512

9bd88a406202b539ec6cfb271c7c02b0ac2659d3c925aed20d1680d919f841fbef89566d33f29cca2fd1ebd5641b5a7ee17562eaa5dce447f89256cc470f1eeb
SSDEEP

3072:aUo5/dXbshimRExcL2RXdoAhhI/Q7fgv1fJ5N3+OKFX8bQrzEbM0TC1I+M8IqeCa:arjPmR96gAjI4S1+ybAIA9jdye9Bi

Score

10^/10

strrat wshrat persistence stealer trojan

Malware Config

Extracted

Family

strrat

C2

chance2021.ddns.net:8887

tasklistmgr.duckdns.org:7188

Attributes

license_id
XXMC-VBCA-4RWE-KGDF-XX7X
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8899

Targets

- Target
  
  ACCORD POUR COMMISSION A PRELEVER.PDF.vbs
- Size
  
  246KB
- MD5
  
  6b23cda6ddc86713d63e5b6bb853a909
- SHA1
  
  7c12556e23a5b283846572fc9a1d70b01d306c1d
- SHA256
  
  3cdadd4d8492cfe342f9f74529566ed6c1b451ba669509b59ffaf2965bce0750
- SHA512
  
  9bd88a406202b539ec6cfb271c7c02b0ac2659d3c925aed20d1680d919f841fbef89566d33f29cca2fd1ebd5641b5a7ee17562eaa5dce447f89256cc470f1eeb
- SSDEEP
  
  3072:aUo5/dXbshimRExcL2RXdoAhhI/Q7fgv1fJ5N3+OKFX8bQrzEbM0TC1I+M8IqeCa:arjPmR96gAjI4S1+ybAIA9jdye9Bi
Score

10^/10

strrat wshrat persistence stealer trojan
- STRRAT
  STRRAT is a remote access tool than can steal credentials and log keystrokes.
  trojan stealer strrat
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

strratwshratpersistencestealertrojan

behavioral2

strratwshratpersistencestealertrojan