General

  • Target

    PO-UPDATE-99077-IMG.rar

  • Size

    1.2MB

  • Sample

    211103-e7dfesdcb4

  • MD5

    1cc0f8ebffc1032e805d463062c2f68f

  • SHA1

    7da904a08742f333b7e3710b0d859ad677726960

  • SHA256

    cfd064120d4082919fa594937dde69cf44c67975db874fa803e9221ced2fff88

  • SHA512

    7205209a884a46a76bed3a01429bfdda4e5a4c1c5b51ed3b304d3f4423cd82873932dd7ee7c94fdc409f2207e311f44635eab7f56c8e6dc86f1eea01d7dbd37d

Malware Config

Targets

    • Target

      PO-UPDATE-99077-IMG.exe

    • Size

      1.4MB

    • MD5

      5f417ef4ce06d3471811742ca037cb1b

    • SHA1

      6ab8b21c8b52caa140bf63ae18a4ca01be6e1b98

    • SHA256

      a5024b85683de19bd2d065ceb57c611a3dac9746ed9bc5e6939cc5eb5b8011bb

    • SHA512

      1bd13fed8e7a13b7f3ac00365ce845df819b6c31cdf236bd07eec31d765da4f44cfb485786217b4e7b620dd3739b75aee5c9c5a38cfdc1900956b419a101207c

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks