General
-
Target
ORDER-24171200967.XLS..js
-
Size
7KB
-
Sample
241217-dbrgqsyrbm
-
MD5
f9909c7c05d71c1d6b64286308f98acc
-
SHA1
285b28cb198161825f9860c9d92d394b4e5432bd
-
SHA256
3262bd3a884311409a84415b7edffaecfacd37c2948f3f4fc1ea5b664abaed85
-
SHA512
57229234a1439080f06e8388a1f3680800c65ade4c5bdfe4ca2baa44e39d90decc04930241a0de83be5537e6e0081753f56cb624de4f893eb5b238b21eb75d93
-
SSDEEP
192:++B5F0K8hVKxuKb5xy49ngVvVgDyDGGxziGqV+xqQ:++3F0K8hVKxuKb5xy49ngVvVgDyDGGxb
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-24171200967.XLS..js
Resource
win7-20240729-en
Malware Config
Extracted
strrat
chongmei33.publicvm.com:44662
jinvestments.duckdns.org:44662
-
license_id
khonsari
-
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
-
scheduled_task
true
-
secondary_startup
true
-
startup
true
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Targets
-
-
Target
ORDER-24171200967.XLS..js
-
Size
7KB
-
MD5
f9909c7c05d71c1d6b64286308f98acc
-
SHA1
285b28cb198161825f9860c9d92d394b4e5432bd
-
SHA256
3262bd3a884311409a84415b7edffaecfacd37c2948f3f4fc1ea5b664abaed85
-
SHA512
57229234a1439080f06e8388a1f3680800c65ade4c5bdfe4ca2baa44e39d90decc04930241a0de83be5537e6e0081753f56cb624de4f893eb5b238b21eb75d93
-
SSDEEP
192:++B5F0K8hVKxuKb5xy49ngVvVgDyDGGxziGqV+xqQ:++3F0K8hVKxuKb5xy49ngVvVgDyDGGxb
-
Strrat family
-
Wshrat family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1