General

  • Target

    NEW-PO-DETAILS-SWIFT.js

  • Size

    179KB

  • Sample

    210701-f56y6dh3ne

  • MD5

    c9118d65be6e415653f4ccfcc9dedced

  • SHA1

    25c48a6c6df8792a5d2dee2a6160ab67bdd89734

  • SHA256

    cb14693ffee68af4222ab10ed3ce21ebe607ea9b1862f1302f73e320ef163deb

  • SHA512

    c5fc7f6266642b0535c0d850e04a7bc5cfe5d6bc7f21f394286b1d528d0e0fc19508fa5c65ddaf2a413ef93519c84c9333e51cf2fe3c51e60c58d90e970681da

Malware Config

Targets

    • Target

      NEW-PO-DETAILS-SWIFT.js

    • Size

      179KB

    • MD5

      c9118d65be6e415653f4ccfcc9dedced

    • SHA1

      25c48a6c6df8792a5d2dee2a6160ab67bdd89734

    • SHA256

      cb14693ffee68af4222ab10ed3ce21ebe607ea9b1862f1302f73e320ef163deb

    • SHA512

      c5fc7f6266642b0535c0d850e04a7bc5cfe5d6bc7f21f394286b1d528d0e0fc19508fa5c65ddaf2a413ef93519c84c9333e51cf2fe3c51e60c58d90e970681da

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT Payload

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks