MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5fab9889d333c721fed265c13879f11315afe346d13356d4d1d61d16cc2b9d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

STRRAT

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 1 File information Comments

SHA256 hash:	b5fab9889d333c721fed265c13879f11315afe346d13356d4d1d61d16cc2b9d7
SHA3-384 hash:	4f20627b5ae922cd98cd77c4bbca5dcf185e39c3b1236deb43042173da8df12e1327f7b27101e2c111fec6714d2c811a
SHA1 hash:	c575de9f5fe3af6b479d6b0eff608ba2cbad2c9a
MD5 hash:	ec7b21746a03ffd34199f1943b74fe5e
humanhash:	north-montana-may-cardinal
File name:	URGENT PAYMENT REQUEST.js
Download:	download sample
Signature	STRRAT Create hunting rule
File size:	466'104 bytes
First seen:	2024-10-04 09:25:32 UTC
Last seen:	2024-10-16 15:30:05 UTC
File type:	js
MIME type:	text/plain
ssdeep	12288:wpJc5fLTwmpBt3bSZoWeA/3nk4I4eTrSfD:wO73lW5
TLSH	T109A47EEE1B89333E9B761004E56437B2A298E75AC265F45FA0E17FDEFB9500C920934D
Magika	javascript
Reporter	abuse_ch
Tags:	185-222-58-239 js STRRAT

abuse_ch

STRRAT C2:
185.222.58.239:1781

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.222.58.239:1781	https://threatfox.abuse.ch/ioc/1333721/

Intelligence

File Origin

# of uploads :

# of downloads :

380

Origin country :

Vendor Threat Intelligence

Detection(s):

YARA.obfuscated_eval.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66ffb4ae0fdf8887097d05ff

Tags:

Shellcode Vmdetect Exploit

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm evasive masquerade obfuscated obfuscated

Link:

https://www.filescan.io/uploads/66ffb4b52ffc4aa29593dc01/reports/690a3b5d-f71a-4c15-80d8-cc3aecca4484/overview

Verdict:

Malicious

Labled as:

GT:JS.Acsogenixx.493

Link:

https://www.hybrid-analysis.com/sample/b5fab9889d333c721fed265c13879f11315afe346d13356d4d1d61d16cc2b9d7

Result

Verdict:

MALICIOUS

Result

Threat name:

STRRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1525561

Signature

Found malware configuration

JavaScript source code contains functionality to generate code involving a shell, file or stream

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected AllatoriJARObfuscator

Yara detected STRRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5fab9889d333c721fed265c13879f11315afe346d13356d4d1d61d16cc2b9d7/

Threat name:

Script-JS.Packed.Acsogenixx

Status:

Malicious

First seen:

2024-10-04 09:26:06 UTC

File Type:

Text

AV detection:

9 of 38 (23.68%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wx5ltce5gm6heh7nezobhb47ceyvv7runujtk3kndvq5c3gcxhlq._file

Result

Malware family:

strrat

Score:

10/10

Tags:

family:strrat execution persistence stealer trojan

Link:

https://tria.ge/reports/241004-ld69zawern/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Drops startup file

Loads dropped DLL

STRRAT

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/b5fab9889d333c721fed265c13879f11315afe346d13356d4d1d61d16cc2b9d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample