General

  • Target

    HTM11209007.js

  • Size

    1006KB

  • Sample

    211115-g12wjsecfl

  • MD5

    534c5f544a49e8bbe33500d2bf2ed0ee

  • SHA1

    208082a55658a1fc60e510dd0b05a346e3d3e041

  • SHA256

    1e6e40f10afa7059706c802c7d0a96d6a947d021921322a4815e0d6b696aced0

  • SHA512

    65c680cac134f7c95379fe221c44af7d15e099728a993b613cace73e8e0110a4dea84df0a4033091ac1564d18390303496bed86ea6a6e8137f531ec97719d2f0

Malware Config

Extracted

Family

wshrat

C2

http://140.228.29.190:7121

Targets

    • Target

      HTM11209007.js

    • Size

      1006KB

    • MD5

      534c5f544a49e8bbe33500d2bf2ed0ee

    • SHA1

      208082a55658a1fc60e510dd0b05a346e3d3e041

    • SHA256

      1e6e40f10afa7059706c802c7d0a96d6a947d021921322a4815e0d6b696aced0

    • SHA512

      65c680cac134f7c95379fe221c44af7d15e099728a993b613cace73e8e0110a4dea84df0a4033091ac1564d18390303496bed86ea6a6e8137f531ec97719d2f0

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • suricata: ET MALWARE WSHRAT CnC Checkin

      suricata: ET MALWARE WSHRAT CnC Checkin

    • suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

      suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

      suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks