General

  • Target

    wynmove12.js

  • Size

    24KB

  • Sample

    221104-vsktysbahl

  • MD5

    d5ea6c96a7024e85552409e96969ad7a

  • SHA1

    c92f1c6c9746a71af29cef9c6f34b5d45bf67a80

  • SHA256

    2d8b0b3ba291821031ecedb2888aef031d0ca7661e70ba53f77e0ba9d05623a9

  • SHA512

    157f4e2d924b1db4ff16124cdbbbfa53f453589cc434ab68343bfc394e6d65a869969b41fe6bc8499369057870334a8d48035d536c07160b2d80a01c4c3db8d3

  • SSDEEP

    384:/zeqLYJ6DOi96GL5hp4M487wCkns7RVXGRADNfltenQFNWa7E0RDKT/:nYJ6DOaL5hCl3bkVfPzma40ReL

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:7670

Targets

    • Target

      wynmove12.js

    • Size

      24KB

    • MD5

      d5ea6c96a7024e85552409e96969ad7a

    • SHA1

      c92f1c6c9746a71af29cef9c6f34b5d45bf67a80

    • SHA256

      2d8b0b3ba291821031ecedb2888aef031d0ca7661e70ba53f77e0ba9d05623a9

    • SHA512

      157f4e2d924b1db4ff16124cdbbbfa53f453589cc434ab68343bfc394e6d65a869969b41fe6bc8499369057870334a8d48035d536c07160b2d80a01c4c3db8d3

    • SSDEEP

      384:/zeqLYJ6DOi96GL5hp4M487wCkns7RVXGRADNfltenQFNWa7E0RDKT/:nYJ6DOaL5hCl3bkVfPzma40ReL

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks