Managed XDR

temp-128-.eml (STRRAT) — malware analysis report

File info

Filename
temp-128-.eml
File type
RFC 822 mail, UTF-8 Unicode text, with CRLF line terminators
File size
364.8 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
458ba2ae83b3218d73e22297f6e1c47cdd53784c
SHA256
bb76b1bc0fc44e5611914e7d92d582e313d5d9d9e93e5195e1f808933ce7e913
MD5
b2973217fd1902b071fa3392f112ad0d

Malwares

  • STRRAT

Signatures

Execution

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1033 recon_beacon: The process has sent information about the computer over the network

Command and Control

T1071.001 recon_beacon: The process has sent information about the computer over the network
T1071.001 network_http: Performs HTTP requests
T1102.003 cloud_github: Connects to cloud services of Github (potentially for malicious payload delivery)

Other

yara_rules: Static rules
suricata_alert: Malicious traffic detected
creates_exe: Creates executable files in the file system
ip_domains: Identifies an IP address using external resources
creates_in_programdata: Creates files in the ProgramData directory

Related reports