General

  • Target

    RemittanceAdvice_20210713_112348.js

  • Size

    295KB

  • Sample

    210713-6bs946x1f2

  • MD5

    7e931cc1205d355df5ebe483dfd0d53d

  • SHA1

    0466b0af5affbf1682108af656bd7236719e676b

  • SHA256

    b2646ed24e1773b139587b7dad8c0b8d3dd3fb18af58e88c006311e36897e71e

  • SHA512

    08e32cfaca2a8c2e3a189ce413e53b13f951d1aa88091eea6471cfa8d8e262deebb048b9f7a32778730a1e9b1287f04a3f5bed41e48f3eb446b31eacc6e402c0

Malware Config

Targets

    • Target

      RemittanceAdvice_20210713_112348.js

    • Size

      295KB

    • MD5

      7e931cc1205d355df5ebe483dfd0d53d

    • SHA1

      0466b0af5affbf1682108af656bd7236719e676b

    • SHA256

      b2646ed24e1773b139587b7dad8c0b8d3dd3fb18af58e88c006311e36897e71e

    • SHA512

      08e32cfaca2a8c2e3a189ce413e53b13f951d1aa88091eea6471cfa8d8e262deebb048b9f7a32778730a1e9b1287f04a3f5bed41e48f3eb446b31eacc6e402c0

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks