General

  • Target

    44012c0ca20d332de770aef31f2cc49b.exe

  • Size

    606KB

  • Sample

    221024-vctf6ahgbj

  • MD5

    44012c0ca20d332de770aef31f2cc49b

  • SHA1

    95fda94b60e6156e9c0b81086072b031c5414115

  • SHA256

    3922ac9a1588e0d9d5946e71d95d065cc3cf64e776d792b105981e23220d096f

  • SHA512

    e55c0629614d15589394f4fe47ad6ed3de342040c632426a1c3bf93cd24f9b3c16d8522d7a10b238166fb287c03427766afb5c992151631c6dab9a7c34432e2d

  • SSDEEP

    12288:re3+DBTIES/VC1Qxow0/xloaTFx/qjM67jLZ/+bPb6mYG2ea3uzZ1/DjpZPQMsDc:yYIvaTfAeTkc

Malware Config

Extracted

Family

wshrat

C2

http://snkcyp.duckdns.org:3369

Targets

    • Target

      44012c0ca20d332de770aef31f2cc49b.exe

    • Size

      606KB

    • MD5

      44012c0ca20d332de770aef31f2cc49b

    • SHA1

      95fda94b60e6156e9c0b81086072b031c5414115

    • SHA256

      3922ac9a1588e0d9d5946e71d95d065cc3cf64e776d792b105981e23220d096f

    • SHA512

      e55c0629614d15589394f4fe47ad6ed3de342040c632426a1c3bf93cd24f9b3c16d8522d7a10b238166fb287c03427766afb5c992151631c6dab9a7c34432e2d

    • SSDEEP

      12288:re3+DBTIES/VC1Qxow0/xloaTFx/qjM67jLZ/+bPb6mYG2ea3uzZ1/DjpZPQMsDc:yYIvaTfAeTkc

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks