CV Actualis_.bin

General
Target

CV Actualis_.bin

Size

1MB

Sample

201009-pk6qvejm4e

Score
10 /10
MD5

384b434bcfeec7287cf02b7aefa06c52

SHA1

8e2abd5f01f36b38d3674847dff518e7a4eef897

SHA256

0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d

SHA512

a33c8f4c6746d16cd39a19c4ba9fcc3ebabefdeb443c2e46585958bc1d10fca4ff44a6c2612acec5fb284935121ebbf1f4f6028df9060beb38f9e4d01da7d235

Malware Config
Targets
Target

CV Actualis_.bin

MD5

384b434bcfeec7287cf02b7aefa06c52

Filesize

1MB

Score
10 /10
SHA1

8e2abd5f01f36b38d3674847dff518e7a4eef897

SHA256

0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d

SHA512

a33c8f4c6746d16cd39a19c4ba9fcc3ebabefdeb443c2e46585958bc1d10fca4ff44a6c2612acec5fb284935121ebbf1f4f6028df9060beb38f9e4d01da7d235

Tags

Signatures

  • WSHRAT

    Description

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    Tags

  • Blacklisted process makes network request

  • Executes dropped EXE

  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1