General

  • Target

    Customer alerts.js

  • Size

    1.0MB

  • Sample

    211126-x29ksaecfr

  • MD5

    d7635680fdef884b00183d6e6279c816

  • SHA1

    1b6632f660b8b68d62d7d7dc2437fc43d37d161d

  • SHA256

    2bad00a5d95151f8a72c537e066bb1d2f1f7c73dfadca31f0ec21da7935df1df

  • SHA512

    f579b191981227b82ae42120fba28ffcd1c8867b7b9bf3d435c46796cd1d975db16faff824dfba277b86622c8d86b5747c4833b9d628506d8a4603fb23a3e7ee

Malware Config

Extracted

Family

wshrat

C2

http://1j1m3r3.kozow.com:50933

Targets

    • Target

      Customer alerts.js

    • Size

      1.0MB

    • MD5

      d7635680fdef884b00183d6e6279c816

    • SHA1

      1b6632f660b8b68d62d7d7dc2437fc43d37d161d

    • SHA256

      2bad00a5d95151f8a72c537e066bb1d2f1f7c73dfadca31f0ec21da7935df1df

    • SHA512

      f579b191981227b82ae42120fba28ffcd1c8867b7b9bf3d435c46796cd1d975db16faff824dfba277b86622c8d86b5747c4833b9d628506d8a4603fb23a3e7ee

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • suricata: ET MALWARE WSHRAT CnC Checkin

      suricata: ET MALWARE WSHRAT CnC Checkin

    • suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

      suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

      suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks