Overview

overview

10

Static

static

Payment pdf.js

windows7_x64

10

Payment pdf.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment pdf.zip

  • Size

    246KB

  • Sample

    210727-3zp21s6rjs

  • MD5

    a1a6542193de32c4447a42d2e57b6f70

  • SHA1

    70a00d83666f05fbcc245fc11bc93a5fdf5cdfe2

  • SHA256

    2d6442135af8135536b063c489b54b2212618df06fd8b65b716866f66a8b0d96

  • SHA512

    e5f7e7b5c64d2be1c2df34762e622751809442e1f675305a5d6ae7d453563207965b34dc225d25392f3500588d2ef82be99baa135fdc5ff87ba053f1aff06703

Score
10/10
wshratpersistencesuricatatrojan

Malware Config

Targets

    • Target

      Payment pdf.js

    • Size

      1014KB

    • MD5

      f098336e5dbe72f0af2370678bf9be2f

    • SHA1

      cb7d88f11c695a4a69eecaab5ca563c2437ab78d

    • SHA256

      f59e56f5a8735cf57b82bd6a6c76e352edae68f40e19efd1a03cd5fe15b06d4e

    • SHA512

      b6570af35eeddad6b9ca67faf4c4424d5fa49ed5a09863d688d9069928da8121cf1936ad254bfc8cc28e8637c4c1e04604c929d4678e140a348626bd57eb58cf

    Score
    10/10
    wshratpersistencesuricatatrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • suricata: ET MALWARE WSHRAT CnC Checkin

      suricata

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

      suricata

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks