General
-
Target
PO-UPDATE-99077-IMG.rar
-
Size
1.2MB
-
Sample
211103-e7dfesdcb4
-
MD5
1cc0f8ebffc1032e805d463062c2f68f
-
SHA1
7da904a08742f333b7e3710b0d859ad677726960
-
SHA256
cfd064120d4082919fa594937dde69cf44c67975db874fa803e9221ced2fff88
-
SHA512
7205209a884a46a76bed3a01429bfdda4e5a4c1c5b51ed3b304d3f4423cd82873932dd7ee7c94fdc409f2207e311f44635eab7f56c8e6dc86f1eea01d7dbd37d
Static task
static1
Behavioral task
behavioral1
Sample
PO-UPDATE-99077-IMG.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
PO-UPDATE-99077-IMG.exe
Resource
win10-en-20211014
Malware Config
Targets
-
-
Target
PO-UPDATE-99077-IMG.exe
-
Size
1.4MB
-
MD5
5f417ef4ce06d3471811742ca037cb1b
-
SHA1
6ab8b21c8b52caa140bf63ae18a4ca01be6e1b98
-
SHA256
a5024b85683de19bd2d065ceb57c611a3dac9746ed9bc5e6939cc5eb5b8011bb
-
SHA512
1bd13fed8e7a13b7f3ac00365ce845df819b6c31cdf236bd07eec31d765da4f44cfb485786217b4e7b620dd3739b75aee5c9c5a38cfdc1900956b419a101207c
-
WSHRAT Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-