General
-
Target
4fb831a65cce2392df4c5f792dad31e2
-
Size
1.6MB
-
Sample
211021-ya81lsafe9
-
MD5
4fb831a65cce2392df4c5f792dad31e2
-
SHA1
887b24b866d5ad917273a3e8391ba785a5ba90a5
-
SHA256
2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6
-
SHA512
c2a2952741d4c045fe5a641bf7ff8ccfefa54608fa73a875eab00c74cc03464c2808c548df0a6abfeb52eeb2956fac0eecd67f2a4ab62a2f8d13613e670f20c5
Static task
static1
Behavioral task
behavioral1
Sample
4fb831a65cce2392df4c5f792dad31e2.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
4fb831a65cce2392df4c5f792dad31e2.exe
Resource
win10-en-20211014
Malware Config
Extracted
wshrat
http://concideritdone.duckdns.org:5001
Targets
-
-
Target
4fb831a65cce2392df4c5f792dad31e2
-
Size
1.6MB
-
MD5
4fb831a65cce2392df4c5f792dad31e2
-
SHA1
887b24b866d5ad917273a3e8391ba785a5ba90a5
-
SHA256
2e4d9754a395aa51d9d35a6af209c4b041b8fa5c7fdad41bfc0df97d841091f6
-
SHA512
c2a2952741d4c045fe5a641bf7ff8ccfefa54608fa73a875eab00c74cc03464c2808c548df0a6abfeb52eeb2956fac0eecd67f2a4ab62a2f8d13613e670f20c5
Score10/10-
WSHRAT Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-