General
-
Target
IMG-9877-PO-PDF-LIST9576867.js
-
Size
2.1MB
-
Sample
211021-wzbejaafb3
-
MD5
66ce275ae44bfac23f7a71c0e3df1e76
-
SHA1
a8f6afbb0c136b8dcfe6f108cde75b40b7c0d2ce
-
SHA256
46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633
-
SHA512
94e9ead33c3a0ff6133f46951fb9a52d4e59215f79a05f7c006cbff47712ab39130bcafabfc165cd5fa1402336a1a63b204b7eb33631a0172fc5e6463ba36afe
Static task
static1
Behavioral task
behavioral1
Sample
IMG-9877-PO-PDF-LIST9576867.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
IMG-9877-PO-PDF-LIST9576867.js
Resource
win10-en-20210920
Malware Config
Extracted
wshrat
http://concideritdone.duckdns.org:5001
Targets
-
-
Target
IMG-9877-PO-PDF-LIST9576867.js
-
Size
2.1MB
-
MD5
66ce275ae44bfac23f7a71c0e3df1e76
-
SHA1
a8f6afbb0c136b8dcfe6f108cde75b40b7c0d2ce
-
SHA256
46648093234287c679db48c441de8f2d12306a3c8299b4d30e3fcf0057bcd633
-
SHA512
94e9ead33c3a0ff6133f46951fb9a52d4e59215f79a05f7c006cbff47712ab39130bcafabfc165cd5fa1402336a1a63b204b7eb33631a0172fc5e6463ba36afe
Score10/10-
WSHRAT Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-