General

  • Target

    NEW2-P0-6768-67.js

  • Size

    2.0MB

  • Sample

    211101-lh8nlaebgj

  • MD5

    0cc291d10a959273d146e06ffae6c9a4

  • SHA1

    d4d1eb7e58f58e07a6acff40fb97b24f10fb11b0

  • SHA256

    fc15d03d19f3f1a41c48188d6c014ae3086b453c1380604e9cc5809d1747fd52

  • SHA512

    cc736eee0b993b91d97a4d0da049bf9ae00062f2ae6accb47befc63a767c5ef21ffdb26e0baa112bda591da3a8428b48f0896a6f34e4ff0a40f779582d2bcc7f

Malware Config

Extracted

Family

wshrat

C2

http://newmoey2022.duckdns.org:5001

Targets

    • Target

      NEW2-P0-6768-67.js

    • Size

      2.0MB

    • MD5

      0cc291d10a959273d146e06ffae6c9a4

    • SHA1

      d4d1eb7e58f58e07a6acff40fb97b24f10fb11b0

    • SHA256

      fc15d03d19f3f1a41c48188d6c014ae3086b453c1380604e9cc5809d1747fd52

    • SHA512

      cc736eee0b993b91d97a4d0da049bf9ae00062f2ae6accb47befc63a767c5ef21ffdb26e0baa112bda591da3a8428b48f0896a6f34e4ff0a40f779582d2bcc7f

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT Payload

    • suricata: ET MALWARE WSHRAT CnC Checkin

      suricata: ET MALWARE WSHRAT CnC Checkin

    • suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

      suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

      suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks