General
-
Target
Rep-help.js
-
Size
1014KB
-
Sample
211128-jj9aeagfhq
-
MD5
23e3f29e61cee232e55a0ab979042f54
-
SHA1
6f1d9acc52609123cc3363b11f5a0ea151f6b2b6
-
SHA256
fefaa621509a19e38964c94267f18709f907256e593f1c51343eddbcb745f69d
-
SHA512
626985155071120873ae41300f1c164336cadd095645abdfc679aa60ef139e1acde2e406fb5adb4779b73281bcc8f32350b28c121e11b0c7d9626aacc6d4afb1
Static task
static1
Behavioral task
behavioral1
Sample
Rep-help.js
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Rep-help.js
Resource
win10-en-20211014
Malware Config
Extracted
wshrat
http://1j1m3r3.kozow.com:50933
Targets
-
-
Target
Rep-help.js
-
Size
1014KB
-
MD5
23e3f29e61cee232e55a0ab979042f54
-
SHA1
6f1d9acc52609123cc3363b11f5a0ea151f6b2b6
-
SHA256
fefaa621509a19e38964c94267f18709f907256e593f1c51343eddbcb745f69d
-
SHA512
626985155071120873ae41300f1c164336cadd095645abdfc679aa60ef139e1acde2e406fb5adb4779b73281bcc8f32350b28c121e11b0c7d9626aacc6d4afb1
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-