BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

STRRAT

47
Global rank
23 infographic chevron month
Month rank
18
Week rank
597
IOCs

STRRAT is a type of malicious software known as a remote access trojan (RAT). It gives attackers the ability to gain full control over a victim's computer system, enabling them to steal confidential information, spy on their activities, and drop other malware. STRRAT has been in operation since 2020 and is regularly updated to increase its complexity and make it more difficult to detect.

Remote Access Trojan
Type
Unknown
Origin
1 June, 2020
First seen
18 June, 2024
Last seen

How to analyze STRRAT with ANY.RUN

Remote Access Trojan
Type
Unknown
Origin
1 June, 2020
First seen
18 June, 2024
Last seen

IOCs

IP addresses
79.110.62.204
181.141.1.250
79.134.225.17
193.161.193.99
91.193.75.135
79.134.225.40
212.192.246.56
15.235.10.108
87.98.245.48
194.5.98.8
79.134.225.79
79.134.225.22
212.193.30.54
185.29.9.101
194.85.248.87
185.140.53.68
212.193.30.230
151.229.173.33
103.151.123.132
185.140.53.131
Hashes
146e04ad28ceda68230c9085a4198fa74d6482760b9eaf0ad575e50c200f09cc
655954e2d7d2e71f7c2cdcfb278f9154b94a50904ee3315824de204aa14e0100
df24b51772ff4959e9bbfe481f72f0e88ba6e7c031d60edb3b1a47c69f69a6d0
Domains
str04.bounceme.net
fileshaaringdocumseign.pages.dev
mons.jetos.com
adrenalinecyber.com
nectarclampplaza.com
nightmare4666.ddns.net
donutz.ddns.net
egodds.longmusic.com
pplugin.duckdns.org
magicfinger.ddns.net
flyingtoms.instanthq.com
redlan.mywire.org
checkmybones.dns.army
feksake.ddns.net
efcc.duckdns.org
str-master.pw
7cmqghpupqiquxkfgmotxv6nfl366hyekx4mulez6rdgwdmq7hn72rad.onion
frhb61552ds.ikexpress.com
palaintermine.duckdns.org
edonbe2189.ddns.net
URLs
http://jbfrost.live/strigoi/server/
http://str-master.pw/strigoi/server/ping.php
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 142
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 188
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 339
comments 0

What is STRRAT malware?

STRRAT is a Java-based malware that has been active since at least mid-2020. It is intended for a number of malicious purposes, including exfiltrating data from users’ browsers and email clients, keylogging, stealing files, as well as dropping additional malware. The creators of STRRAT are unknown, yet the continued evolution of the malware suggests that the developers behind it are constantly working to improve its capabilities.

The use of Java, a language that has largely lost its popularity over the past decade, does not prevent STRRAT from infecting numerous machines across the globe every year. Although the early versions of the malware required the presence of Java Runtime Environment (JRE) on the victim’s computer, the newer ones can do without it. Instead, they scan the system and install the JRE software downloaded from one of the remote servers.

While STRRAT continues to be distributed using simple .jar files, there are also instances of weaponized .pdfs and .xlsbs. Some attackers also use the polyglot technique to spread the malware (CVE-2020-1464). Specifically, they can combine two file formats (e.g., .msi and .jar) to circumvent security systems. Such files are usually sent as attachments to emails disguised as legitimate documents, including receipts and invoices, as part of spam or phishing campaigns.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the STRRAT malicious software

Similar to other remote access trojans, such as XWorm and AsyncRAT, STRRAT enables criminals to engage in:

  • Remote control: The malware lets its operators access the PC of their victim, view the screen of the device, and even reboot it.
  • Data theft: It can be used to gather sensitive data, including passwords, credit card information, and browser history.
  • File management: The program has the capacity to extract files from different directories. It can also upload, delete, and open files.
  • Malware installation: STRRAT can drop other malicious software.
  • Webcam and microphone recording: The spying capabilities of the malware make it possible for attackers to record users’ conversations and take photos.
  • Keylogging: It can transmit all the keystrokes detected on the infected machine to its C2C server. Alternatively, it can record the information in an offline mode and transfer it once the connection is established again.

Additionally, it can act as a reverse proxy server for attackers, listen for incoming RDP connections, as well as execute cmd and PowerShell commands. The malware can download and install new updates from a remote server, allowing it to receive the latest features and capabilities, and to evade detection by antivirus software.

Another notable feature of STRRAT is its “crimson” module, which makes an attempt at encrypting victims’ files by adding the .crimson extension to them. Yet, by manually removing this extension, users can once again access their files. Basically, STRRAT poorly imitates the behavior of full-scale ransomware, such as WannaCry.

In terms of obfuscation, the latest version of the malware, namely the 1.6 one, employs two commercial obfuscators, Zelix KlassMaster (ZKM) and Allatori. One of the ways that STRRAT achieves persistence is by creating a scheduled task, masked under the name of a legitimate process such as "Skype.exe." In addition to creating a scheduled task, STRRAT also changes the autorun value and writes itself into the startup menu. This ensures that the malware will launch again after the operating system is rebooted.

STRRAT is capable of easily gaining elevated privileges on the system, which gives more power to the attacker. You can learn more about the techniques used by STRRAT by reading the article STRRAT: Malware Analysis of a JAR archive.

Execution process of STRRAT

To get a better understanding of the techniques used by the malware and collect its IOCs, STRRAT can be uploaded to the ANY.RUN interactive sandbox.

Upon execution, STRRAT drops DLL files onto the disk and initiates a persistent task that runs every 30 minutes via the task scheduler. This task spawns a new process that generates WMI queries for system information. The malware then starts a benign Windows application that serves as a launchpad for an embedded malicious payload, in this case, Formbook.

Read a detailed analysis of STRRAT in our blog.

STRRAT process tree STRRAT's process tree

Distribution methods of the STRRAT malware

Phishing email campaigns remain the go-to method for threat actors to launch attacks using STRRAT against victims. Such emails typically mimic the branding and logos of trusted organizations, making them appear legitimate.

For instance, one of the documented cases related to STRRAT involved a fake email from the MAERSK shipping company. By unknowingly downloading and opening files attached to these emails, victims can kick off a chain reaction resulting in attackers gaining full control over their computers.

Conclusion

The STRRAT malware has proven to be a persistent challenge over the past 3 years. Individual users and SMEs are the groups primarily targeted by threat actors who use this malware. This puts an emphasis on the importance of having a reliable and fast tool like ANY.RUN for scanning suspicious links and files. The service generates comprehensive reports on the behavior of any sample in seconds and provides a conclusive verdict on whether a certain file or URL is malicious or not.

Try ANY.RUN for free – request a demo!.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy