General

  • Target

    1F7E9C6AED2B8CB929E3677818BD2B72142254E17F790.exe

  • Size

    469KB

  • Sample

    211223-y8ejnacdcl

  • MD5

    919665137e771d9c738303058e2bc373

  • SHA1

    d9f4293de1f8561e3528cb1adeec1e93208ce8e7

  • SHA256

    1f7e9c6aed2b8cb929e3677818bd2b72142254e17f79007f984bb1b8472d99c8

  • SHA512

    f888daa97d95ba895cca667b91f2ad3db46dff586c9bb18dea1bc5a8bc3e9cd802ac331b4ee549fd4f8a391ec2c72fdb6a952f8ee3515858930f68d505bd6091

Malware Config

Extracted

Family

wshrat

C2

http://strserver1.duckdns.org:8001

Targets

    • Target

      1F7E9C6AED2B8CB929E3677818BD2B72142254E17F790.exe

    • Size

      469KB

    • MD5

      919665137e771d9c738303058e2bc373

    • SHA1

      d9f4293de1f8561e3528cb1adeec1e93208ce8e7

    • SHA256

      1f7e9c6aed2b8cb929e3677818bd2b72142254e17f79007f984bb1b8472d99c8

    • SHA512

      f888daa97d95ba895cca667b91f2ad3db46dff586c9bb18dea1bc5a8bc3e9cd802ac331b4ee549fd4f8a391ec2c72fdb6a952f8ee3515858930f68d505bd6091

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • suricata: ET MALWARE WSHRAT CnC Checkin

      suricata: ET MALWARE WSHRAT CnC Checkin

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

      suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks