MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6372a7f93d8048d9105f81e38d773bffd87ab441e8354bc2100ca781d9b43037. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STRRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6372a7f93d8048d9105f81e38d773bffd87ab441e8354bc2100ca781d9b43037
SHA3-384 hash: a9d2e32dbd38d5e8b7b2b2bb2440e0e5d52d9333166d08d0494abb726a3c763a57f272137bd0ca6ce38f108e123e311a
SHA1 hash: 9a1a49cac87033f16b2a18592fd900c6d5a6d1a8
MD5 hash: 585fd27f8c4154c5c343571037aba9ef
humanhash: india-beer-alaska-friend
File name:SCANXEROX25082023.scr.exe
Download: download sample
Signature STRRAT
Create hunting rule
File size:1'424'384 bytes
First seen:2023-08-25 11:10:18 UTC
Last seen:2023-09-04 13:38:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'793 x AgentTesla, 19'692 x Formbook, 12'274 x SnakeKeylogger)
ssdeep 24576:hluEXY+mcfNSFgVlqWpnkBxWyuEbQ7p44aZe50HTFQ6Ksch5D/334qo:uvgkSNEbQ7hkchdP4
Threatray 28 similar samples on MalwareBazaar
TLSH T1BC65AE07A7F74AF1F1091736E18B44501797EAC833BBDADA794B0E5F1A86B59CE08603
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 72ceaeaeb2968eaa (57 x AgentTesla, 9 x Formbook, 7 x RemcosRAT)
Reporter abuse_ch
Tags:exe STRRAT


Avatar
abuse_ch
STRRAT C2:
2.59.254.145:2027

Intelligence

File Origin
# of uploads :
3
# of downloads :
312
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
strrat
Create hunting rule
ID:
1
File name:
SCANXEROX25082023.scr.exe
Verdict:
Malicious activity
Analysis date:
2023-08-25 11:10:58 UTC
Tags:
strrat rat remote evasion stealer
Link:
https://app.any.run/tasks/30d1832a-4c69-4dd8-8732-cb0c49eb2437

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Strrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/444710/
Detection(s):
SecuriteInfo.com.MSIL.Agent.POQ.tr.dldr.23837.22465.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Sending a custom TCP request
Moving a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin masquerade packed
Link:
https://www.filescan.io/uploads/64e88c475ec4a862326095ad/reports/0645339e-c914-4064-a8c2-504b2a322331/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6372a7f93d8048d9105f81e38d773bffd87ab441e8354bc2100ca781d9b43037
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a824380b-098a-4e27-8f23-ba6a4249d924
Result
Threat name:
FormBook, STRRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1297309
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AllatoriJARObfuscator
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected STRRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1297309 Sample: SCANXEROX25082023.scr.exe Startdate: 25/08/2023 Architecture: WINDOWS Score: 100 40 repo1.maven.org 2->40 42 github.com 2->42 44 dualstack.sonatype.map.fastly.net 2->44 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 6 other signatures 2->58 10 SCANXEROX25082023.scr.exe 3 5 2->10         started        signatures3 process4 signatures5 68 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->68 70 Injects a PE file into a foreign processes 10->70 13 SCANXEROX25082023.scr.exe 10->13         started        16 javaw.exe 23 10->16         started        process6 dnsIp7 72 Maps a DLL or memory area into another process 13->72 74 Queues an APC in another process (thread injection) 13->74 19 DsVXIfLStChKShXUOn.exe 13->19 injected 34 140.82.121.3, 443, 49760, 49761 GITHUBUS United States 16->34 36 github.com 140.82.121.4, 443, 49727, 49731 GITHUBUS United States 16->36 38 2 other IPs or domains 16->38 21 icacls.exe 1 16->21         started        signatures8 process9 process10 23 help.exe 13 19->23         started        26 conhost.exe 21->26         started        signatures11 60 Tries to steal Mail credentials (via file / registry access) 23->60 62 Tries to harvest and steal browser information (history, passwords, etc) 23->62 64 Modifies the context of a thread in another process (thread injection) 23->64 66 Maps a DLL or memory area into another process 23->66 28 explorer.exe 1 23->28 injected 32 DsVXIfLStChKShXUOn.exe 23->32 injected process12 dnsIp13 46 www.owcojyyde.best 45.56.79.23, 49860, 49861, 49870 LINODE-APLinodeLLCUS United States 28->46 48 leilah.org 66.235.200.146, 49851, 80 CLOUDFLARENETUS United States 28->48 50 www.leilah.org 28->50 76 System process connects to network (likely due to code injection or exploit) 28->76 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6372a7f93d8048d9105f81e38d773bffd87ab441e8354bc2100ca781d9b43037/
Threat name:
Win32.Trojan.Synder
Create hunting rule
Status:
Malicious
First seen:
2023-08-25 11:11:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mnzkp6j5qbensec7qhry25z377mhvncb5a2uxqqqbstydwnuga3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
24b05dea7290ca2ab8b49c9efd04492a09fc3e7d6cafba2003316c2a80155645
STRRAT
33fc6a56478fcc172306018e4de7b96684a5ee5d839afc3d0ae8573072ec92b9
STRRAT
662373470e1e29fdc50870c0296a21446f2231455ae93dfb9f4339e21d8eaca5
STRRAT
66ec3c9fb1339c6925fb508c17190aa7869e24b149abcedd771aa53ea9de27fa
STRRAT
9248252c652a2f2a1476b419f62d426b93b38b530b9ea0d16071c2724e4f48e4
STRRAT
c7d4fd24bc684b1d6132f8435cba9c9120df5a08dee714985e94ef4caae17a72
STRRAT
db309c1ee2e0d1555a57a2d177be42d52809cbca61f71292f68523c167448080
STRRAT
ee80038271164361a38cc49e3b1c1ee446eda1c80181ffe161307d414c55fcdf
STRRAT
fb9c41960ea195480341cfdf13deee325e5c563064f21acf1c89e488ee4ea841
STRRAT
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230825-m99kmsch3v/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
ecf5aa31e206016be01ad7c397533501bd3a0e33ada8332f377bc2a923d8d77d
MD5 hash:
2d64ae1961dd2f4bb6f306b5bcb1789a
SHA1 hash:
014a3e5b15e647d05ef57a004733933c434cf1ed
Link:
https://www.unpac.me/results/1facee1b-dc8c-4cc3-aa40-bb1a3f82e236/
SH256 hash:
9768267a5a38e203b2e5fb5a1df0289b862196a34d757ff098a777c9ad0447a8
MD5 hash:
ed7ed3df6550f2881eecc7da57e28ecc
SHA1 hash:
5388ab0354604a2105f71f52f5ba42cb6ea4c159
Link:
https://www.unpac.me/results/1facee1b-dc8c-4cc3-aa40-bb1a3f82e236/
SH256 hash:
20fe8822c73b2e191d7213f46aba518e6ece107d1ecf95641ffc3319505d44b9
MD5 hash:
47110394f873548ab1ccd5e77c6c38bd
SHA1 hash:
cc3d1cb7980ad5348260c1c0cafcf32b2071cf4e
Link:
https://www.unpac.me/results/1facee1b-dc8c-4cc3-aa40-bb1a3f82e236/
SH256 hash:
1a64f278ab0170c9375c8b8ea489797bb7198949659dd96a3e02d3967a546c2a
MD5 hash:
d414d1612135e1c24c2c2e4200ed0d1f
SHA1 hash:
654fb36aa7384a42eba26e17acf5e91f153833e8
Link:
https://www.unpac.me/results/1facee1b-dc8c-4cc3-aa40-bb1a3f82e236/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/1facee1b-dc8c-4cc3-aa40-bb1a3f82e236/
SH256 hash:
6372a7f93d8048d9105f81e38d773bffd87ab441e8354bc2100ca781d9b43037
MD5 hash:
585fd27f8c4154c5c343571037aba9ef
SHA1 hash:
9a1a49cac87033f16b2a18592fd900c6d5a6d1a8
Link:
https://www.unpac.me/results/1facee1b-dc8c-4cc3-aa40-bb1a3f82e236/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6372a7f93d80/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/6372a7f93d8048d9105f81e38d773bffd87ab441e8354bc2100ca781d9b43037

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444710/

Comments