General

  • Target

    Rep-help.js

  • Size

    1014KB

  • Sample

    211128-jj9aeagfhq

  • MD5

    23e3f29e61cee232e55a0ab979042f54

  • SHA1

    6f1d9acc52609123cc3363b11f5a0ea151f6b2b6

  • SHA256

    fefaa621509a19e38964c94267f18709f907256e593f1c51343eddbcb745f69d

  • SHA512

    626985155071120873ae41300f1c164336cadd095645abdfc679aa60ef139e1acde2e406fb5adb4779b73281bcc8f32350b28c121e11b0c7d9626aacc6d4afb1

Malware Config

Extracted

Family

wshrat

C2

http://1j1m3r3.kozow.com:50933

Targets

    • Target

      Rep-help.js

    • Size

      1014KB

    • MD5

      23e3f29e61cee232e55a0ab979042f54

    • SHA1

      6f1d9acc52609123cc3363b11f5a0ea151f6b2b6

    • SHA256

      fefaa621509a19e38964c94267f18709f907256e593f1c51343eddbcb745f69d

    • SHA512

      626985155071120873ae41300f1c164336cadd095645abdfc679aa60ef139e1acde2e406fb5adb4779b73281bcc8f32350b28c121e11b0c7d9626aacc6d4afb1

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • suricata: ET MALWARE WSHRAT CnC Checkin

      suricata: ET MALWARE WSHRAT CnC Checkin

    • suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

      suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

      suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks