Managed XDR

quotation-update-for-e...-2024-04-04-12-19-.eml (STRRAT) — malware analysis report

File info

Filename
quotation-update-for-enquiry_urgent_order-april-june-2024-2024-04-04-12-19-.eml
File type
RFC 822 mail, UTF-8 Unicode text, with CRLF line terminators
File size
635.5 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
1d70415c1f4efb4dd5f62e4812ba01175ccb881c
SHA256
58fa9d1847ed5f2302640d78de35977efa198542a78753f39bd9dd779811f0ab
MD5
825ad0b25102750435db591fc53d021d

Malwares

  • STRRAT

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1033 recon_beacon: The process has sent information about the computer over the network
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity

Command and Control

T1071.001 recon_beacon: The process has sent information about the computer over the network
T1071.001 network_http: Performs HTTP requests
T1102.003 cloud_github: Connects to cloud services of Github (potentially for malicious payload delivery)

Other

yara_rules: Static rules
suricata_alert: Malicious traffic detected
creates_exe: Creates executable files in the file system
ip_domains: Identifies an IP address using external resources
pdf_compressed_stream: Contains an object with compressed stream
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory

Related reports