strrat

General

Target

esigned-document_eml.bat
Size

2KB
Sample

250102-q9acbsxkdq
MD5

a0d37228b4ad0ebea6537b99cbcb7ff0
SHA1

cec0438ed7acde6a177bc220df2d4fa94352e539
SHA256

e85d8640a62e0d223fe9892384eecb8bb9e67d4bf2fc020881058506b33bec30
SHA512

a4fda2b2adbe591bbfb44fb0949becf75349f5255f197008727486f15e0cc18fcdbce6c1d3ba16e65a5e32a5d8ffc857cfa75402975eafedf4c11524d4f1f9ea

Score

10^/10

Malware Config

Targets

- Target
  
  esigned-document_eml.bat
- Size
  
  2KB
- MD5
  
  a0d37228b4ad0ebea6537b99cbcb7ff0
- SHA1
  
  cec0438ed7acde6a177bc220df2d4fa94352e539
- SHA256
  
  e85d8640a62e0d223fe9892384eecb8bb9e67d4bf2fc020881058506b33bec30
- SHA512
  
  a4fda2b2adbe591bbfb44fb0949becf75349f5255f197008727486f15e0cc18fcdbce6c1d3ba16e65a5e32a5d8ffc857cfa75402975eafedf4c11524d4f1f9ea
Score

10^/10

discovery execution strrat adware persistence privilege_escalation stealer trojan
- STRRAT
  STRRAT is a remote access tool than can steal credentials and log keystrokes.
  trojan stealer strrat
- Strrat family
  strrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2