General

  • Target

    b04ebbaab95d8941912761529774630b138c48e08c55462dc1191c5258d909fd

  • Size

    38KB

  • Sample

    220121-3ahkwacfb4

  • MD5

    9169f8cabbd35be6b85b44499d3d02c1

  • SHA1

    a3cdbca8c3636bc783ad9ff2ce190befbcce9230

  • SHA256

    b04ebbaab95d8941912761529774630b138c48e08c55462dc1191c5258d909fd

  • SHA512

    f837048468da4ef82ffd2e7935a5cb4d21cdeffb3c91b6105e58041ffd38c24a0b7452885a60924765ad3ecf8af238209aca5308e5de319fe3d6a1982d2d6839

Malware Config

Extracted

Family

wshrat

C2

http://ghostwsh4191.ddns.net:4191

Targets

    • Target

      GH2-19062016_PO_TOP URGENT.js

    • Size

      104KB

    • MD5

      c4a3c287a91653de36fe458599b226e3

    • SHA1

      5da2f1e0f11a82df50d970db65d48c9575d3111a

    • SHA256

      345e93e6986cea0e9f2ce63ec4d2c6b34afe35c3300f7802b92176bafdc5a84c

    • SHA512

      c3662f002f2969bda521d0b607d9686c2ccbb1b687865658f3b9789246dbcddb5664046e00308569e9c5accf177008de88214bba35eb0c1c587356b1b5adb5c6

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks