General

  • Target

    ORDER-24171200967.XLS..js

  • Size

    7KB

  • Sample

    241217-dd3msayrgk

  • MD5

    f9909c7c05d71c1d6b64286308f98acc

  • SHA1

    285b28cb198161825f9860c9d92d394b4e5432bd

  • SHA256

    3262bd3a884311409a84415b7edffaecfacd37c2948f3f4fc1ea5b664abaed85

  • SHA512

    57229234a1439080f06e8388a1f3680800c65ade4c5bdfe4ca2baa44e39d90decc04930241a0de83be5537e6e0081753f56cb624de4f893eb5b238b21eb75d93

  • SSDEEP

    192:++B5F0K8hVKxuKb5xy49ngVvVgDyDGGxziGqV+xqQ:++3F0K8hVKxuKb5xy49ngVvVgDyDGGxb

Malware Config

Extracted

Family

strrat

C2

chongmei33.publicvm.com:44662

jinvestments.duckdns.org:44662

Attributes
  • license_id

    khonsari

  • plugins_url

    http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5

  • scheduled_task

    true

  • secondary_startup

    true

  • startup

    true

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      ORDER-24171200967.XLS..js

    • Size

      7KB

    • MD5

      f9909c7c05d71c1d6b64286308f98acc

    • SHA1

      285b28cb198161825f9860c9d92d394b4e5432bd

    • SHA256

      3262bd3a884311409a84415b7edffaecfacd37c2948f3f4fc1ea5b664abaed85

    • SHA512

      57229234a1439080f06e8388a1f3680800c65ade4c5bdfe4ca2baa44e39d90decc04930241a0de83be5537e6e0081753f56cb624de4f893eb5b238b21eb75d93

    • SSDEEP

      192:++B5F0K8hVKxuKb5xy49ngVvVgDyDGGxziGqV+xqQ:++3F0K8hVKxuKb5xy49ngVvVgDyDGGxb

    • STRRAT

      STRRAT is a remote access tool than can steal credentials and log keystrokes.

    • Strrat family

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Wshrat family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks