General
-
Target
DRAFTCOPY-BILL-PDF309874847.js
-
Size
1KB
-
Sample
211021-w52hxaafb7
-
MD5
8aa7029773c57a40a220e6a6b5e11f32
-
SHA1
10cee1e3ab432641e3edf8f477cf76a527200cf3
-
SHA256
65a5df237d47b30ebe2f5b01c7e9e99e29d9d6ee14c2c6d718a538e4013c0a55
-
SHA512
e66ca934f1b9a3e0913f765845c435042e4b3987a31f8bf08a2742ce8d40dabc26f5b8d933e0f598d940bcea4f1c33fb22a1d106e830f457c4453e58cb110717
Static task
static1
Behavioral task
behavioral1
Sample
DRAFTCOPY-BILL-PDF309874847.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
DRAFTCOPY-BILL-PDF309874847.js
Resource
win10-en-20210920
Malware Config
Extracted
wshrat
http://concideritdone.duckdns.org:5001
Targets
-
-
Target
DRAFTCOPY-BILL-PDF309874847.js
-
Size
1KB
-
MD5
8aa7029773c57a40a220e6a6b5e11f32
-
SHA1
10cee1e3ab432641e3edf8f477cf76a527200cf3
-
SHA256
65a5df237d47b30ebe2f5b01c7e9e99e29d9d6ee14c2c6d718a538e4013c0a55
-
SHA512
e66ca934f1b9a3e0913f765845c435042e4b3987a31f8bf08a2742ce8d40dabc26f5b8d933e0f598d940bcea4f1c33fb22a1d106e830f457c4453e58cb110717
Score10/10-
WSHRAT Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-