General
-
Target
R7MC1D7ZGB.js
-
Size
257KB
-
Sample
220228-clnyxseceq
-
MD5
a5d240521ceca1cfea78be885c76413f
-
SHA1
e336b76d64ffab956a877f015c223d41dd66c246
-
SHA256
cd84cb8d15ba8c8b0e006bc0b8988e7033abbb6943addc46e7d7542ebc901989
-
SHA512
21f29438d817c98164553841e9f50e04023ceaa6bd98adf6199c159773d54d374c4904e154c9a528709cb7890be021ee089aeb9fd7ebdea487bcda3fa04a4002
Static task
static1
Malware Config
Targets
-
-
Target
R7MC1D7ZGB.js
-
Size
257KB
-
MD5
a5d240521ceca1cfea78be885c76413f
-
SHA1
e336b76d64ffab956a877f015c223d41dd66c246
-
SHA256
cd84cb8d15ba8c8b0e006bc0b8988e7033abbb6943addc46e7d7542ebc901989
-
SHA512
21f29438d817c98164553841e9f50e04023ceaa6bd98adf6199c159773d54d374c4904e154c9a528709cb7890be021ee089aeb9fd7ebdea487bcda3fa04a4002
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-