General

  • Target

    c9ef5a98d32858facd2ea6354196969080b87cb684295830d983293a25daf143

  • Size

    366KB

  • Sample

    220201-ehmmssghc8

  • MD5

    394f8e6df802d303487795e7edb76ad0

  • SHA1

    67bb4fe378952026e7c970cadd3798b379c99bdb

  • SHA256

    c9ef5a98d32858facd2ea6354196969080b87cb684295830d983293a25daf143

  • SHA512

    d5db02e1aaf9da76572489a51bde11e3e91f9f860e5c835c6f859eac0edda7bd5487ece4f2f82346d76a79c159010eb6e3295f945c8acd188d8c5685e716cc15

Malware Config

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8000

Targets

    • Target

      c9ef5a98d32858facd2ea6354196969080b87cb684295830d983293a25daf143

    • Size

      366KB

    • MD5

      394f8e6df802d303487795e7edb76ad0

    • SHA1

      67bb4fe378952026e7c970cadd3798b379c99bdb

    • SHA256

      c9ef5a98d32858facd2ea6354196969080b87cb684295830d983293a25daf143

    • SHA512

      d5db02e1aaf9da76572489a51bde11e3e91f9f860e5c835c6f859eac0edda7bd5487ece4f2f82346d76a79c159010eb6e3295f945c8acd188d8c5685e716cc15

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks