General

  • Target

    RFQ #7328071819.js

  • Size

    253KB

  • Sample

    221025-ll2z8acbh5

  • MD5

    e4dc10e687c06ecaa22e1aa6253974db

  • SHA1

    ef661330b4ad4ed99d758ee39b297297351c26ef

  • SHA256

    55530405125fdba0025928832f439138de927f62069609f2e63f166856237e31

  • SHA512

    27916b09aaf97e8476b44d07d9cedcb06e21f4bdf3c75800cd7beb193fc8b8633ff6b675662e46ee946d0902adb4d7ff5512c780d1ee501e9ea1bd3e47105817

  • SSDEEP

    3072:/pLVgZ19lcqeVcFaWCYLBVBEQ2r0G830NyuAyTWi15r02jr0jyA1I1EI0V77G4Dv:xqeVcyIG836Th1Z0UAjhIE6KF9eS

Malware Config

Extracted

Family

wshrat

C2

http://whiteking.giize.com:4040

Targets

    • Target

      RFQ #7328071819.js

    • Size

      253KB

    • MD5

      e4dc10e687c06ecaa22e1aa6253974db

    • SHA1

      ef661330b4ad4ed99d758ee39b297297351c26ef

    • SHA256

      55530405125fdba0025928832f439138de927f62069609f2e63f166856237e31

    • SHA512

      27916b09aaf97e8476b44d07d9cedcb06e21f4bdf3c75800cd7beb193fc8b8633ff6b675662e46ee946d0902adb4d7ff5512c780d1ee501e9ea1bd3e47105817

    • SSDEEP

      3072:/pLVgZ19lcqeVcFaWCYLBVBEQ2r0G830NyuAyTWi15r02jr0jyA1I1EI0V77G4Dv:xqeVcyIG836Th1Z0UAjhIE6KF9eS

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks