General
-
Target
RFQ #7328071819.js
-
Size
253KB
-
Sample
221025-ll2z8acbh5
-
MD5
e4dc10e687c06ecaa22e1aa6253974db
-
SHA1
ef661330b4ad4ed99d758ee39b297297351c26ef
-
SHA256
55530405125fdba0025928832f439138de927f62069609f2e63f166856237e31
-
SHA512
27916b09aaf97e8476b44d07d9cedcb06e21f4bdf3c75800cd7beb193fc8b8633ff6b675662e46ee946d0902adb4d7ff5512c780d1ee501e9ea1bd3e47105817
-
SSDEEP
3072:/pLVgZ19lcqeVcFaWCYLBVBEQ2r0G830NyuAyTWi15r02jr0jyA1I1EI0V77G4Dv:xqeVcyIG836Th1Z0UAjhIE6KF9eS
Static task
static1
Behavioral task
behavioral1
Sample
RFQ #7328071819.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
RFQ #7328071819.js
Resource
win10v2004-20220812-en
Malware Config
Extracted
wshrat
http://whiteking.giize.com:4040
Targets
-
-
Target
RFQ #7328071819.js
-
Size
253KB
-
MD5
e4dc10e687c06ecaa22e1aa6253974db
-
SHA1
ef661330b4ad4ed99d758ee39b297297351c26ef
-
SHA256
55530405125fdba0025928832f439138de927f62069609f2e63f166856237e31
-
SHA512
27916b09aaf97e8476b44d07d9cedcb06e21f4bdf3c75800cd7beb193fc8b8633ff6b675662e46ee946d0902adb4d7ff5512c780d1ee501e9ea1bd3e47105817
-
SSDEEP
3072:/pLVgZ19lcqeVcFaWCYLBVBEQ2r0G830NyuAyTWi15r02jr0jyA1I1EI0V77G4Dv:xqeVcyIG836Th1Z0UAjhIE6KF9eS
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-