General
-
Target
Complete documents.js
-
Size
278KB
-
Sample
220628-h4xxfahfd5
-
MD5
73c18351745de8bb47262a331169fbaf
-
SHA1
1ef001a039e0038cde60c21c54c6c599f2932ba3
-
SHA256
8221b6211f79e4818887d04abe5bc795ad145111f56b700434129ebfa7d3611e
-
SHA512
a8e112e45dba72a787e5bc78333946d5f4400fc14e6570c4c458e60a1a5e45742f3d49c16fe3a65e089d9c5787a1534cdf98f432e7885d5ba1011155e9a6ef16
Static task
static1
Behavioral task
behavioral1
Sample
Complete documents.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Complete documents.js
Resource
win10v2004-20220414-en
Malware Config
Extracted
wshrat
http://45.141.237.3:3030
Targets
-
-
Target
Complete documents.js
-
Size
278KB
-
MD5
73c18351745de8bb47262a331169fbaf
-
SHA1
1ef001a039e0038cde60c21c54c6c599f2932ba3
-
SHA256
8221b6211f79e4818887d04abe5bc795ad145111f56b700434129ebfa7d3611e
-
SHA512
a8e112e45dba72a787e5bc78333946d5f4400fc14e6570c4c458e60a1a5e45742f3d49c16fe3a65e089d9c5787a1534cdf98f432e7885d5ba1011155e9a6ef16
-
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-