General

  • Target

    PO-UPDATE-99077-IMG.exe

  • Size

    1.4MB

  • Sample

    211105-nrccvsbeg8

  • MD5

    5f417ef4ce06d3471811742ca037cb1b

  • SHA1

    6ab8b21c8b52caa140bf63ae18a4ca01be6e1b98

  • SHA256

    a5024b85683de19bd2d065ceb57c611a3dac9746ed9bc5e6939cc5eb5b8011bb

  • SHA512

    1bd13fed8e7a13b7f3ac00365ce845df819b6c31cdf236bd07eec31d765da4f44cfb485786217b4e7b620dd3739b75aee5c9c5a38cfdc1900956b419a101207c

Malware Config

Extracted

Family

wshrat

C2

http://concideritdone.duckdns.org:5001

Targets

    • Target

      PO-UPDATE-99077-IMG.exe

    • Size

      1.4MB

    • MD5

      5f417ef4ce06d3471811742ca037cb1b

    • SHA1

      6ab8b21c8b52caa140bf63ae18a4ca01be6e1b98

    • SHA256

      a5024b85683de19bd2d065ceb57c611a3dac9746ed9bc5e6939cc5eb5b8011bb

    • SHA512

      1bd13fed8e7a13b7f3ac00365ce845df819b6c31cdf236bd07eec31d765da4f44cfb485786217b4e7b620dd3739b75aee5c9c5a38cfdc1900956b419a101207c

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks