strrat | 3cdadd4d8492cfe342f9f74529566ed6c1b451ba669509b59ffaf2965bce0750

General

Target

ACCORD POUR COMMISSION A PRELEVER.PDF.vbs
Size

246KB
MD5

6b23cda6ddc86713d63e5b6bb853a909
SHA1

7c12556e23a5b283846572fc9a1d70b01d306c1d
SHA256

3cdadd4d8492cfe342f9f74529566ed6c1b451ba669509b59ffaf2965bce0750
SHA512

9bd88a406202b539ec6cfb271c7c02b0ac2659d3c925aed20d1680d919f841fbef89566d33f29cca2fd1ebd5641b5a7ee17562eaa5dce447f89256cc470f1eeb
SSDEEP

3072:aUo5/dXbshimRExcL2RXdoAhhI/Q7fgv1fJ5N3+OKFX8bQrzEbM0TC1I+M8IqeCa:arjPmR96gAjI4S1+ybAIA9jdye9Bi

Score

10^/10

strrat wshrat persistence stealer trojan

Malware Config

Extracted

Family

strrat

C2

chance2021.ddns.net:8887

tasklistmgr.duckdns.org:7188

Attributes

license_id
XXMC-VBCA-4RWE-KGDF-XX7X
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8899

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 24 IoCs

flow	pid	Process
4	2680	WScript.exe
12	2680	WScript.exe
21	2680	WScript.exe
27	2680	WScript.exe
32	2680	WScript.exe
37	2680	WScript.exe
43	2680	WScript.exe
48	2680	WScript.exe
53	2680	WScript.exe
59	2680	WScript.exe
64	2680	WScript.exe
69	2680	WScript.exe
77	2680	WScript.exe
86	2680	WScript.exe
91	2680	WScript.exe
97	2680	WScript.exe
102	2680	WScript.exe
108	2680	WScript.exe
114	2680	WScript.exe
119	2680	WScript.exe
124	2680	WScript.exe
130	2680	WScript.exe
135	2680	WScript.exe
145	2680	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mZIHvZJhYf.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mZIHvZJhYf.vbs	WScript.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mZIHvZJhYf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\mZIHvZJhYf.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mZIHvZJhYf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\mZIHvZJhYf.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2680	1780	WScript.exe	31
PID 1780 wrote to memory of 2680	1780	WScript.exe	31
PID 1780 wrote to memory of 2680	1780	WScript.exe	31
PID 1780 wrote to memory of 2804	1780	WScript.exe	32
PID 1780 wrote to memory of 2804	1780	WScript.exe	32
PID 1780 wrote to memory of 2804	1780	WScript.exe	32
PID 2804 wrote to memory of 2508	2804	cmd.exe	34
PID 2804 wrote to memory of 2508	2804	cmd.exe	34
PID 2804 wrote to memory of 2508	2804	cmd.exe	34
PID 1780 wrote to memory of 856	1780	WScript.exe	36
PID 1780 wrote to memory of 856	1780	WScript.exe	36
PID 1780 wrote to memory of 856	1780	WScript.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ACCORD POUR COMMISSION A PRELEVER.PDF.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mZIHvZJhYf.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -version
    3⤵
    PID:2508
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
  2⤵
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
144B

MD5
9891012748a9c21c96f7787f0a9bf750

SHA1
097a201687c23a42c309ef864bbddcfa6bd42a1c

SHA256
bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977

SHA512
196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671

Download Submit
C:\Users\Admin\AppData\Roaming\mZIHvZJhYf.vbs

Filesize
37KB

MD5
78146f57fb9a52ba473cea3f64bd9f9c

SHA1
5fda29f8a4ad72435fa7fb5ec607e83e5a213991

SHA256
b8179abe3ff542c5ac1655b427a79acaa3d507d2164aebaf1f0b004f08137077

SHA512
ef5828fa60a7a3994e6e1d5f2c2c5974731828d7d913d5a6fa2636d8505645d57b54feceadf8dd6e541daa7003c2298c923dd09557e884e32f01a5f61d3691a0

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
91KB

MD5
6800ec9e36cb278f357fae3eca55e12b

SHA1
18126c7b1bb2349195563803e0415fe09ae4b98c

SHA256
4b01737ef8dcb9de21994b5b675d59aa7ebbd11eb7f4efeffa1c181b303e8f1c

SHA512
81b48082632eb8327ca0037790f36fbefe9f0c2f9288d06fb708535cee1cb20c99e0ec9c871e6edd3c115fa27dc5164f28d8e4c953f63b0d0363ed03616d47e0

Download Submit
memory/856-32-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/856-39-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/856-71-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/856-76-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2508-9-0x0000000002500000-0x0000000002770000-memory.dmp

Filesize
2.4MB

Download
memory/2508-19-0x0000000002500000-0x0000000002770000-memory.dmp

Filesize
2.4MB

Download
memory/2508-18-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads