Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

ORDER-2417...LS..js

windows7-x64

10

ORDER-2417...LS..js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER-24171200967.XLS..js

  • Size

    7KB

  • Sample

    241217-dd3msayrgk

  • MD5

    f9909c7c05d71c1d6b64286308f98acc

  • SHA1

    285b28cb198161825f9860c9d92d394b4e5432bd

  • SHA256

    3262bd3a884311409a84415b7edffaecfacd37c2948f3f4fc1ea5b664abaed85

  • SHA512

    57229234a1439080f06e8388a1f3680800c65ade4c5bdfe4ca2baa44e39d90decc04930241a0de83be5537e6e0081753f56cb624de4f893eb5b238b21eb75d93

  • SSDEEP

    192:++B5F0K8hVKxuKb5xy49ngVvVgDyDGGxziGqV+xqQ:++3F0K8hVKxuKb5xy49ngVvVgDyDGGxb

Score
10/10
strratwshratexecutionpersistencestealertrojan

Malware Config

Extracted

Family

strrat

C2

chongmei33.publicvm.com:44662

jinvestments.duckdns.org:44662
Attributes
  • license_id

    khonsari

  • plugins_url

    http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5

  • scheduled_task

    true

  • secondary_startup

    true

  • startup

    true

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      ORDER-24171200967.XLS..js

    • Size

      7KB

    • MD5

      f9909c7c05d71c1d6b64286308f98acc

    • SHA1

      285b28cb198161825f9860c9d92d394b4e5432bd

    • SHA256

      3262bd3a884311409a84415b7edffaecfacd37c2948f3f4fc1ea5b664abaed85

    • SHA512

      57229234a1439080f06e8388a1f3680800c65ade4c5bdfe4ca2baa44e39d90decc04930241a0de83be5537e6e0081753f56cb624de4f893eb5b238b21eb75d93

    • SSDEEP

      192:++B5F0K8hVKxuKb5xy49ngVvVgDyDGGxziGqV+xqQ:++3F0K8hVKxuKb5xy49ngVvVgDyDGGxb

    Score
    10/10
    strratwshratexecutionpersistencestealertrojan

    • STRRAT

      STRRAT is a remote access tool than can steal credentials and log keystrokes.

      trojanstealerstrrat

    • Strrat family

      strrat

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Wshrat family

      wshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.