General
-
Target
PO-NOVERMBER-877899PDF.js
-
Size
1.9MB
-
Sample
211102-jm5rdscac8
-
MD5
e2be463b7572adf0a980f27f3daafcf3
-
SHA1
bee36928051a60bf2a1a0b9b02280d16aee6967b
-
SHA256
ee0073705af75336561ad765f570b06762c14ecbc0d67edb538eab2ac2884ba2
-
SHA512
14753796a8c6eb72446134416e096fb4a924efc47aea0aa038d7b1d666c8eccd3e0ff41763332c4a2e930f8f3089344313e414ff73217505232b0e8a6da59909
Static task
static1
Behavioral task
behavioral1
Sample
PO-NOVERMBER-877899PDF.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
PO-NOVERMBER-877899PDF.js
Resource
win10-en-20210920
Malware Config
Extracted
wshrat
http://concideritdone.duckdns.org:5001
Targets
-
-
Target
PO-NOVERMBER-877899PDF.js
-
Size
1.9MB
-
MD5
e2be463b7572adf0a980f27f3daafcf3
-
SHA1
bee36928051a60bf2a1a0b9b02280d16aee6967b
-
SHA256
ee0073705af75336561ad765f570b06762c14ecbc0d67edb538eab2ac2884ba2
-
SHA512
14753796a8c6eb72446134416e096fb4a924efc47aea0aa038d7b1d666c8eccd3e0ff41763332c4a2e930f8f3089344313e414ff73217505232b0e8a6da59909
-
WSHRAT Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-