strrat | 77bc548441266a989e02d2699c1ee2b6d6dd9254a20dabbb7ab14ce8a2df4c06 | Triage

Sharing

General

Target

ORDER #256988PDF.js
Size

955KB
Sample

250214-gw5rmsvlhp
MD5

a8d8c8f8213370e298e4c51777b5ca6f
SHA1

e7154be7f1ece7adb9a1bda5a76023890911f26c
SHA256

77bc548441266a989e02d2699c1ee2b6d6dd9254a20dabbb7ab14ce8a2df4c06
SHA512

8336c930cd80b4e1c890ab5201d5b482bff71b5d4309a1a85b032570b9e39d93389ee07537bff58b58978bf0492c40499505074cb6ce99640ecd2d5d8b3b48e8
SSDEEP

6144:w4j8E7KdksEmXpivANu3xQ2ZFnNsa9eX44HQfYEhrn9KXXUa14VcEvb6EcB7QTkD:5wezANwdJsa9q4tNVngYABHD

Score

10^/10

strrat wshrat discovery execution persistence stealer trojan

Malware Config

Extracted

Family

strrat

C2

chongmei33.publicvm.com:44662

chongmei33.myddns.rocks:44662

Attributes

license_id
khonsari
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Extracted

Family

wshrat

C2

http://chongmei33.myddns.rocks:7044

Targets

- Target
  
  ORDER #256988PDF.js
- Size
  
  955KB
- MD5
  
  a8d8c8f8213370e298e4c51777b5ca6f
- SHA1
  
  e7154be7f1ece7adb9a1bda5a76023890911f26c
- SHA256
  
  77bc548441266a989e02d2699c1ee2b6d6dd9254a20dabbb7ab14ce8a2df4c06
- SHA512
  
  8336c930cd80b4e1c890ab5201d5b482bff71b5d4309a1a85b032570b9e39d93389ee07537bff58b58978bf0492c40499505074cb6ce99640ecd2d5d8b3b48e8
- SSDEEP
  
  6144:w4j8E7KdksEmXpivANu3xQ2ZFnNsa9eX44HQfYEhrn9KXXUa14VcEvb6EcB7QTkD:5wezANwdJsa9q4tNVngYABHD
Score

10^/10

strrat wshrat execution persistence stealer trojan discovery
- STRRAT
  STRRAT is a remote access tool than can steal credentials and log keystrokes.
  trojan stealer strrat
- Strrat family
  strrat
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Wshrat family
  wshrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

strratwshratexecutionpersistencestealertrojan

behavioral2

strratwshratdiscoveryexecutionpersistencestealertrojan