General
-
Target
PO-UPDATE-99077-IMG.exe
-
Size
1.4MB
-
Sample
211105-nrccvsbeg8
-
MD5
5f417ef4ce06d3471811742ca037cb1b
-
SHA1
6ab8b21c8b52caa140bf63ae18a4ca01be6e1b98
-
SHA256
a5024b85683de19bd2d065ceb57c611a3dac9746ed9bc5e6939cc5eb5b8011bb
-
SHA512
1bd13fed8e7a13b7f3ac00365ce845df819b6c31cdf236bd07eec31d765da4f44cfb485786217b4e7b620dd3739b75aee5c9c5a38cfdc1900956b419a101207c
Static task
static1
Behavioral task
behavioral1
Sample
PO-UPDATE-99077-IMG.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
PO-UPDATE-99077-IMG.exe
Resource
win10-en-20211014
Malware Config
Extracted
wshrat
http://concideritdone.duckdns.org:5001
Targets
-
-
Target
PO-UPDATE-99077-IMG.exe
-
Size
1.4MB
-
MD5
5f417ef4ce06d3471811742ca037cb1b
-
SHA1
6ab8b21c8b52caa140bf63ae18a4ca01be6e1b98
-
SHA256
a5024b85683de19bd2d065ceb57c611a3dac9746ed9bc5e6939cc5eb5b8011bb
-
SHA512
1bd13fed8e7a13b7f3ac00365ce845df819b6c31cdf236bd07eec31d765da4f44cfb485786217b4e7b620dd3739b75aee5c9c5a38cfdc1900956b419a101207c
-
WSHRAT Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-