MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 685549196c77e82e6273752a6fe522ee18da8076f0029ad8232c6e0d36853675. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


STRRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 685549196c77e82e6273752a6fe522ee18da8076f0029ad8232c6e0d36853675
SHA3-384 hash: 3e1096e5b91a4f6d4beee4f20d6cc587865a68c7e4178d42f083a7a20f4818653c55326f788c3fbda0dd7f272890788f
SHA1 hash: 30c4c507acecf7c4e0203d8540f21d699c2d6652
MD5 hash: decec0149d94826aa21f3b2765e1c4b4
humanhash: pizza-arizona-mars-nineteen
File name:x.jar
Download: download sample
Signature STRRAT
Create hunting rule
File size:222'711 bytes
First seen:2021-08-30 17:13:30 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 6144:UNhoC6s6Gswd53gnGkNmM403pIFDSwYacvToLLaU2v6z3oOrGD6:86k/gRP3yFmwYVrOLaU2vNOr/
TLSH T1F02402273ADAC1A0F053D47799318233779DE9A4D10A264F93FCA1C119B2D6AB3568CF
Reporter AndreGironda
Tags:jar STRRAT


Avatar
AndreGironda
MITRE T1566.001
Date: Mon, 30 Aug 2021 05:30-06:00 +0000
Received: from smtp-proxy001.phy.heteml.jp (smtp-proxy001.phy.heteml.jp [157.7.44.112])
From: "Support;" <noreply951847@localhost.de>
Subject: ✅ Order Confirmed Invoice Number 91073333572 Pυrchase Տtatement is Confirmed 8/30/2021 5:45:19 AM
Message-Id: <20210830054522.6AD5D3FA05F4@smtp-proxy001.phy.heteml.jp>
Attachment Name: purchase order-419617892#..xlsb
Attachment SHA256: f148e9a2089039a66fa624e1ffff5ddc5ac5190ee9fdef35a0e973725b60fbc9

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
x.jar
Verdict:
Malicious activity
Analysis date:
2021-08-30 17:15:52 UTC
Tags:
evasion trojan strrat rat
Link:
https://app.any.run/tasks/021ae9db-3809-4b6a-b4cf-412b7e96d48d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/685549196c77e82e6273752a6fe522ee18da8076f0029ad8232c6e0d36853675
Result
Threat name:
STRRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/841785
Signature
Creates autostart registry keys to launch java
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
May check the online IP address of the machine
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AllatoriJARObfuscator
Yara detected STRRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474212 Sample: x.jar Startdate: 30/08/2021 Architecture: WINDOWS Score: 88 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Yara detected STRRAT 2->80 82 May check the online IP address of the machine 2->82 84 4 other signatures 2->84 10 cmd.exe 2 2->10         started        13 javaw.exe 2->13         started        15 javaw.exe 2->15         started        process3 signatures4 88 Uses schtasks.exe or at.exe to add and modify task schedules 10->88 17 java.exe 29 10->17         started        21 conhost.exe 10->21         started        process5 dnsIp6 64 github.com 140.82.121.3, 443, 49705 GITHUBUS United States 17->64 66 github-releases.githubusercontent.com 185.199.108.154, 443, 49707 FASTLYUS Netherlands 17->66 68 3 other IPs or domains 17->68 56 C:\cmdlinestart.log, ASCII 17->56 dropped 23 java.exe 2 20 17->23         started        27 icacls.exe 1 17->27         started        file7 process8 file9 58 C:\Users\user\AppData\Roaming\x.jar, Zip 23->58 dropped 60 C:\Users\user\...\jna6717780267698903252.dll, PE32 23->60 dropped 86 Creates autostart registry keys to launch java 23->86 29 java.exe 15 23->29         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        37 conhost.exe 27->37         started        signatures10 process11 dnsIp12 70 ip-api.com 208.95.112.1, 49714, 80 TUT-ASUS United States 29->70 72 idgerowner.duckdns.org 105.109.211.84, 1990, 49713 ALGTEL-ASDZ Algeria 29->72 74 str-master.pw 29->74 62 C:\Users\user\...\jna4229146387827196354.dll, PE32 29->62 dropped 39 cmd.exe 29->39         started        41 cmd.exe 29->41         started        43 conhost.exe 29->43         started        45 conhost.exe 33->45         started        47 schtasks.exe 33->47         started        file13 process14 process15 49 WMIC.exe 39->49         started        52 conhost.exe 39->52         started        54 conhost.exe 41->54         started        signatures16 76 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 49->76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/685549196c77e82e6273752a6fe522ee18da8076f0029ad8232c6e0d36853675/
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210830-c838py58c2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/685549196c77e82e6273752a6fe522ee18da8076f0029ad8232c6e0d36853675

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

STRRAT

Excel file xlsx f148e9a2089039a66fa624e1ffff5ddc5ac5190ee9fdef35a0e973725b60fbc9

STRRAT

Java file jar 685549196c77e82e6273752a6fe522ee18da8076f0029ad8232c6e0d36853675

(this sample)

Cape
Cape
https://capesandbox.com/analysis/183830/
  
Link
https://tria.ge/210830-jv3r4da3sa
  
Dropped by
SHA256 f148e9a2089039a66fa624e1ffff5ddc5ac5190ee9fdef35a0e973725b60fbc9
  
Delivery method
Distributed via e-mail attachment

Comments