General
-
Target
Customer alerts.js
-
Size
1.0MB
-
Sample
211126-x29ksaecfr
-
MD5
d7635680fdef884b00183d6e6279c816
-
SHA1
1b6632f660b8b68d62d7d7dc2437fc43d37d161d
-
SHA256
2bad00a5d95151f8a72c537e066bb1d2f1f7c73dfadca31f0ec21da7935df1df
-
SHA512
f579b191981227b82ae42120fba28ffcd1c8867b7b9bf3d435c46796cd1d975db16faff824dfba277b86622c8d86b5747c4833b9d628506d8a4603fb23a3e7ee
Static task
static1
Behavioral task
behavioral1
Sample
Customer alerts.js
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Customer alerts.js
Resource
win10-en-20211014
Malware Config
Extracted
wshrat
http://1j1m3r3.kozow.com:50933
Targets
-
-
Target
Customer alerts.js
-
Size
1.0MB
-
MD5
d7635680fdef884b00183d6e6279c816
-
SHA1
1b6632f660b8b68d62d7d7dc2437fc43d37d161d
-
SHA256
2bad00a5d95151f8a72c537e066bb1d2f1f7c73dfadca31f0ec21da7935df1df
-
SHA512
f579b191981227b82ae42120fba28ffcd1c8867b7b9bf3d435c46796cd1d975db16faff824dfba277b86622c8d86b5747c4833b9d628506d8a4603fb23a3e7ee
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-