Overview

overview

10

Static

static

Payment pdf.js

windows7_x64

10

Payment pdf.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment pdf.js

  • Size

    1014KB

  • Sample

    210727-dhrlrkvde2

  • MD5

    f098336e5dbe72f0af2370678bf9be2f

  • SHA1

    cb7d88f11c695a4a69eecaab5ca563c2437ab78d

  • SHA256

    f59e56f5a8735cf57b82bd6a6c76e352edae68f40e19efd1a03cd5fe15b06d4e

  • SHA512

    b6570af35eeddad6b9ca67faf4c4424d5fa49ed5a09863d688d9069928da8121cf1936ad254bfc8cc28e8637c4c1e04604c929d4678e140a348626bd57eb58cf

Score
10/10
wshratpersistencesuricatatrojan

Malware Config

Targets

    • Target

      Payment pdf.js

    • Size

      1014KB

    • MD5

      f098336e5dbe72f0af2370678bf9be2f

    • SHA1

      cb7d88f11c695a4a69eecaab5ca563c2437ab78d

    • SHA256

      f59e56f5a8735cf57b82bd6a6c76e352edae68f40e19efd1a03cd5fe15b06d4e

    • SHA512

      b6570af35eeddad6b9ca67faf4c4424d5fa49ed5a09863d688d9069928da8121cf1936ad254bfc8cc28e8637c4c1e04604c929d4678e140a348626bd57eb58cf

    Score
    10/10
    wshratpersistencesuricatatrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • suricata: ET MALWARE WSHRAT CnC Checkin

      suricata

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

      suricata

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks