General

  • Target

    27f9c7625c39cc1ce7d0af02dbf8de4a60bc674e17aa5276e708ab366fad7953

  • Size

    36KB

  • Sample

    220130-tap6aaece3

  • MD5

    cb56cbfa87f38a41216b5b4a68ad971e

  • SHA1

    ee1ede79dd06bbfaf73d77e96d90dde6d3407b47

  • SHA256

    27f9c7625c39cc1ce7d0af02dbf8de4a60bc674e17aa5276e708ab366fad7953

  • SHA512

    b0f07056613693c63b18aa383e3dfbf2c1fc54314fbd10bec9cfd9c5c08b252747038fd799b31308e0bdf17dbc753af678867d888deaba63570d3d160fadd557

Malware Config

Extracted

Family

wshrat

C2

http://unknownsoft.duckdns.org:7755

Targets

    • Target

      RFQ2019240611111111111111_ENQUIRY19995C_PDF.js

    • Size

      104KB

    • MD5

      3e1d45dd6fef116c4a45cc81997027dc

    • SHA1

      a2cd3a0ecc900664510a9c3e2ff00faa943d3d6b

    • SHA256

      4eb6e69e7df76b5e84ecc4dc6f569fe2ad0f9763fc015014c2b23aa1c82f7332

    • SHA512

      4d9052a10888af2c0feb5ec301681736b3c3374e84733d5edef5f7d026ab951b1e69760c72e53fc904b58733ea0fb680787980e0a7aacbc3051be85a34df3fd4

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks