General

  • Target

    74adc75e58f1ce9864fa9f593887467096ce478150e69c320ce24efbebfe26d6

  • Size

    634KB

  • Sample

    220130-atzz2scabl

  • MD5

    f08b55967cb67843e1220cf95372e1d6

  • SHA1

    6f660b008fec1794393415bd82aa49731d8eeeb6

  • SHA256

    74adc75e58f1ce9864fa9f593887467096ce478150e69c320ce24efbebfe26d6

  • SHA512

    f39c51a0f9d47f63cd33d74dd0fe5d6a0268d3e8def344d2e7feba6f048e0467a28970165f145e33e040634bf877d2d7d81e5735cae0a8c2c40ef34240c1d6bc

Malware Config

Extracted

Family

wshrat

C2

http://dominoduck2107.duckdns.org:9496

Targets

    • Target

      74adc75e58f1ce9864fa9f593887467096ce478150e69c320ce24efbebfe26d6

    • Size

      634KB

    • MD5

      f08b55967cb67843e1220cf95372e1d6

    • SHA1

      6f660b008fec1794393415bd82aa49731d8eeeb6

    • SHA256

      74adc75e58f1ce9864fa9f593887467096ce478150e69c320ce24efbebfe26d6

    • SHA512

      f39c51a0f9d47f63cd33d74dd0fe5d6a0268d3e8def344d2e7feba6f048e0467a28970165f145e33e040634bf877d2d7d81e5735cae0a8c2c40ef34240c1d6bc

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • suricata: ET MALWARE WSHRAT CnC Checkin

      suricata: ET MALWARE WSHRAT CnC Checkin

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

      suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks