General
-
Target
NEW2-P0-6768-67.js
-
Size
2.0MB
-
Sample
211101-lh8nlaebgj
-
MD5
0cc291d10a959273d146e06ffae6c9a4
-
SHA1
d4d1eb7e58f58e07a6acff40fb97b24f10fb11b0
-
SHA256
fc15d03d19f3f1a41c48188d6c014ae3086b453c1380604e9cc5809d1747fd52
-
SHA512
cc736eee0b993b91d97a4d0da049bf9ae00062f2ae6accb47befc63a767c5ef21ffdb26e0baa112bda591da3a8428b48f0896a6f34e4ff0a40f779582d2bcc7f
Static task
static1
Behavioral task
behavioral1
Sample
NEW2-P0-6768-67.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
NEW2-P0-6768-67.js
Resource
win10-en-20210920
Malware Config
Extracted
wshrat
http://newmoey2022.duckdns.org:5001
Targets
-
-
Target
NEW2-P0-6768-67.js
-
Size
2.0MB
-
MD5
0cc291d10a959273d146e06ffae6c9a4
-
SHA1
d4d1eb7e58f58e07a6acff40fb97b24f10fb11b0
-
SHA256
fc15d03d19f3f1a41c48188d6c014ae3086b453c1380604e9cc5809d1747fd52
-
SHA512
cc736eee0b993b91d97a4d0da049bf9ae00062f2ae6accb47befc63a767c5ef21ffdb26e0baa112bda591da3a8428b48f0896a6f34e4ff0a40f779582d2bcc7f
-
WSHRAT Payload
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-