strrat | 5f56ca30aeced923f11377c2651244de171290074faaea9a3d85f81b3e83e3f1

Analysis

max time kernel
295s
max time network
297s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO#2500008_ Jan_2025.Xls.js
Size

955KB
MD5

46585cfdb357b9c32e0aed02376dea2c
SHA1

3525ccecb41582261ba6401d34b56cfdb7ec0d1e
SHA256

b7e9e72922bbafab57989a81d72e1dee75ae384bd975cce8a707417cc1df725a
SHA512

52b9a853aec1268ed4304a3712a50a59d12ae4777eb5108920b7e8518ee6800449597d43a29fc73e33e4e3375c8a9fc99e55c7a47b54bed03aea7ef48e238929
SSDEEP

6144:nj8EnXTkIEmXTSPAKujxQ2ZFnQsa45Z44HQ6YGhz00KY6RRs44lEhc6cgPEtcExS:nwmsGKcdssa474tYR0rGlfcEo

Score

10^/10

strrat wshrat execution persistence stealer trojan

Malware Config

Extracted

Family

strrat

chongmei33.publicvm.com:44662

chongmei33.myddns.rocks:44662

Attributes

license_id
khonsari
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Extracted

Family

wshrat

http://chongmei33.myddns.rocks:7044

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Strrat family
strrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 53 IoCs

flow	pid	Process
5	2812	wscript.exe
6	2812	wscript.exe
7	2812	wscript.exe
9	2812	wscript.exe
10	2812	wscript.exe
11	2812	wscript.exe
13	2812	wscript.exe
14	2812	wscript.exe
15	2812	wscript.exe
17	2812	wscript.exe
18	2812	wscript.exe
19	2812	wscript.exe
21	2812	wscript.exe
22	2812	wscript.exe
23	2812	wscript.exe
25	2812	wscript.exe
26	2812	wscript.exe
27	2812	wscript.exe
29	2812	wscript.exe
30	2812	wscript.exe
31	2812	wscript.exe
33	2812	wscript.exe
34	2812	wscript.exe
35	2812	wscript.exe
37	2812	wscript.exe
38	2812	wscript.exe
39	2812	wscript.exe
41	2812	wscript.exe
42	2812	wscript.exe
43	2812	wscript.exe
45	2812	wscript.exe
46	2812	wscript.exe
47	2812	wscript.exe
49	2812	wscript.exe
50	2812	wscript.exe
51	2812	wscript.exe
53	2812	wscript.exe
54	2812	wscript.exe
55	2812	wscript.exe
57	2812	wscript.exe
58	2812	wscript.exe
59	2812	wscript.exe
61	2812	wscript.exe
62	2812	wscript.exe
63	2812	wscript.exe
65	2812	wscript.exe
66	2812	wscript.exe
67	2812	wscript.exe
69	2812	wscript.exe
70	2812	wscript.exe
71	2812	wscript.exe
73	2812	wscript.exe
74	2812	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 53 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	29	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	49	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	53	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	9	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	33	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	39	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	57	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	22	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	13	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	45	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	47	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	6	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	61	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	30	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	58	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	27	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	46	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	66	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	67	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	38	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	34	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	42	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	43	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	70	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	10	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	19	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	65	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	71	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	11	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	23	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	69	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	74	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	37	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	51	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	50	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	15	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	31	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	25	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	17	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	54	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	55	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	5	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	21	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	59	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	26	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	73	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	7	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	18	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	41	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	63	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	62	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	14	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript
HTTP User-Agent header	35	WSHRAT\|48BD7EF4\|VORHPBAB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 7/1/2025\|JavaScript

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 772	1952	wscript.exe	30
PID 1952 wrote to memory of 772	1952	wscript.exe	30
PID 1952 wrote to memory of 772	1952	wscript.exe	30
PID 1952 wrote to memory of 1960	1952	wscript.exe	31
PID 1952 wrote to memory of 1960	1952	wscript.exe	31
PID 1952 wrote to memory of 1960	1952	wscript.exe	31
PID 1960 wrote to memory of 2812	1960	WScript.exe	32
PID 1960 wrote to memory of 2812	1960	WScript.exe	32
PID 1960 wrote to memory of 2812	1960	WScript.exe	32
PID 772 wrote to memory of 2760	772	WScript.exe	33
PID 772 wrote to memory of 2760	772	WScript.exe	33
PID 772 wrote to memory of 2760	772	WScript.exe	33

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO#2500008_ Jan_2025.Xls.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\TZQ.jar"
    3⤵
    PID:2760
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\word.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TZQ.jar

Filesize
265KB

MD5
49b06e70255a9d233ee47e15d9a2e23b

SHA1
a4c33ef1c39d7715216c27dc93d417c3eb3ec39e

SHA256
db396f9ae63eab45892eed0964926126301abaec49d356765b8cd181572551e5

SHA512
1ae0d43afaffb6ea57c493f8ab77b5b5bb2a74203cc5e9c0cb6256443f5f4095eb927d7e2ef276c24c91f7aa370dfd6903bc152a791f7ce69c91061d0c805e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
376KB

MD5
66557642aadcc9634d9fd1201d730ed7

SHA1
c0aeeaa215a04a1f87385dfa1395420969a40fa8

SHA256
6db12be58fe93da654afb1f98737e2e1fa05be9c3acce26413792cf30f9e482e

SHA512
820f7783339e77d6b2c3f308b0df3e56888216fee2d1aee099fb2e09dcbc4ec6926070976b8b948e56ab351c03052b34562ed406681f5cfe8aad92a8a90e66f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.js

Filesize
305KB

MD5
7baf3694a88ff874e20a3d68a6c060d0

SHA1
fd9e22e3d52e0100dc963f776137cb6068e44825

SHA256
7693d4d8b365e1e7592dab1df24c67c133d0327a82cfab4f806f894b713b7847

SHA512
3ed74145253f5658ee8f253952dd0cbbf7f8f41cfe75a69f36bc954b3eb3a8c1b8bba66459ac3344214ac708aed16abe50be9899dd7b2ee3abc7bf89cc93c2a4

Download Submit
memory/2760-25-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads