General

  • Target

    8F0D80257ED844B8FE7DBF5ED3825BAE.exe

  • Size

    704KB

  • Sample

    210627-1clxws1d7j

  • MD5

    8f0d80257ed844b8fe7dbf5ed3825bae

  • SHA1

    8220744ac87cd32a5d4445b7342bb3ca7a7d0754

  • SHA256

    a6c5cfb45f3ad2ad7140c002881e61cd8f292bba74813d9d2cd46510d3413661

  • SHA512

    233100f586377685aff880e1280f498f62e24c507f3d649282f5782f4a6e81e2a28658870246468b6e16d52687a4efb55525897fcc27ced84cf88c352b8b390d

Malware Config

Targets

    • Target

      8F0D80257ED844B8FE7DBF5ED3825BAE.exe

    • Size

      704KB

    • MD5

      8f0d80257ed844b8fe7dbf5ed3825bae

    • SHA1

      8220744ac87cd32a5d4445b7342bb3ca7a7d0754

    • SHA256

      a6c5cfb45f3ad2ad7140c002881e61cd8f292bba74813d9d2cd46510d3413661

    • SHA512

      233100f586377685aff880e1280f498f62e24c507f3d649282f5782f4a6e81e2a28658870246468b6e16d52687a4efb55525897fcc27ced84cf88c352b8b390d

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT Payload

    • Blocklisted process makes network request

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks