General
-
Target
HTM11209007.js
-
Size
1006KB
-
Sample
211115-g12wjsecfl
-
MD5
534c5f544a49e8bbe33500d2bf2ed0ee
-
SHA1
208082a55658a1fc60e510dd0b05a346e3d3e041
-
SHA256
1e6e40f10afa7059706c802c7d0a96d6a947d021921322a4815e0d6b696aced0
-
SHA512
65c680cac134f7c95379fe221c44af7d15e099728a993b613cace73e8e0110a4dea84df0a4033091ac1564d18390303496bed86ea6a6e8137f531ec97719d2f0
Static task
static1
Behavioral task
behavioral1
Sample
HTM11209007.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
HTM11209007.js
Resource
win10-en-20211014
Malware Config
Extracted
wshrat
http://140.228.29.190:7121
Targets
-
-
Target
HTM11209007.js
-
Size
1006KB
-
MD5
534c5f544a49e8bbe33500d2bf2ed0ee
-
SHA1
208082a55658a1fc60e510dd0b05a346e3d3e041
-
SHA256
1e6e40f10afa7059706c802c7d0a96d6a947d021921322a4815e0d6b696aced0
-
SHA512
65c680cac134f7c95379fe221c44af7d15e099728a993b613cace73e8e0110a4dea84df0a4033091ac1564d18390303496bed86ea6a6e8137f531ec97719d2f0
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-