Overview

overview

10

Static

static

CV Actualis_.bin.exe

windows7_x64

10

CV Actualis_.bin.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CV Actualis_.bin

  • Size

    1.7MB

  • Sample

    201009-pk6qvejm4e

  • MD5

    384b434bcfeec7287cf02b7aefa06c52

  • SHA1

    8e2abd5f01f36b38d3674847dff518e7a4eef897

  • SHA256

    0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d

  • SHA512

    a33c8f4c6746d16cd39a19c4ba9fcc3ebabefdeb443c2e46585958bc1d10fca4ff44a6c2612acec5fb284935121ebbf1f4f6028df9060beb38f9e4d01da7d235

Score
10/10
wshratdiscoverypersistencetrojan

Malware Config

Targets

    • Target

      CV Actualis_.bin

    • Size

      1.7MB

    • MD5

      384b434bcfeec7287cf02b7aefa06c52

    • SHA1

      8e2abd5f01f36b38d3674847dff518e7a4eef897

    • SHA256

      0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d

    • SHA512

      a33c8f4c6746d16cd39a19c4ba9fcc3ebabefdeb443c2e46585958bc1d10fca4ff44a6c2612acec5fb284935121ebbf1f4f6028df9060beb38f9e4d01da7d235

    Score
    10/10
    persistencetrojanwshratdiscovery

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks