General
-
Target
Corrected documents.js
-
Size
320KB
-
Sample
220620-jqy31sbafq
-
MD5
c46aaba5d2996d30a25d22ecd4d6b030
-
SHA1
73c692f130ec8ffd9f0a9a3700b81b0e5958b00f
-
SHA256
89d59ea39f7acdba2870362b32b282d34ccbe850ccb1889d95d616add09c1667
-
SHA512
74b67408dd9945e3cad913732ff6254c0ed0f66f70df4b9bc54626654173dace1979218a0e0dd06abf0e77873c5b1b2f7f6fa5b972c4ceeaa4f329e8d04f446d
Static task
static1
Behavioral task
behavioral1
Sample
Corrected documents.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Corrected documents.js
Resource
win10v2004-20220414-en
Malware Config
Extracted
wshrat
http://193.233.191.96:3030
Targets
-
-
Target
Corrected documents.js
-
Size
320KB
-
MD5
c46aaba5d2996d30a25d22ecd4d6b030
-
SHA1
73c692f130ec8ffd9f0a9a3700b81b0e5958b00f
-
SHA256
89d59ea39f7acdba2870362b32b282d34ccbe850ccb1889d95d616add09c1667
-
SHA512
74b67408dd9945e3cad913732ff6254c0ed0f66f70df4b9bc54626654173dace1979218a0e0dd06abf0e77873c5b1b2f7f6fa5b972c4ceeaa4f329e8d04f446d
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-