General
-
Target
Purchase Contract.js
-
Size
1.2MB
-
Sample
230126-wzbqaseg29
-
MD5
d7d4bde73f37306d955f0bfb63a8d002
-
SHA1
843b86723b5c6113b1ab20756b98d3c8221db031
-
SHA256
da924bd600bfab2b3d7647fadf31593747aac941e083856d8bcedaa021da4b7a
-
SHA512
a61e46c3dda203705a7f28a86f2534e729c5f9dbcb267c821d47268391424851d4157bdb772b3c3a82c935b4ee1a987fa803d3c956df1f5ec68947f2d5caf6d5
-
SSDEEP
12288:eQ3B7qgpCrbmZ7njOZkjS1MDP13+2O/+dKEy:gbm5nikjSCDPl6/+dKD
Malware Config
Extracted
wshrat
http://auto.stevenpartners.com:23015
Targets
-
-
Target
Purchase Contract.js
-
Size
1.2MB
-
MD5
d7d4bde73f37306d955f0bfb63a8d002
-
SHA1
843b86723b5c6113b1ab20756b98d3c8221db031
-
SHA256
da924bd600bfab2b3d7647fadf31593747aac941e083856d8bcedaa021da4b7a
-
SHA512
a61e46c3dda203705a7f28a86f2534e729c5f9dbcb267c821d47268391424851d4157bdb772b3c3a82c935b4ee1a987fa803d3c956df1f5ec68947f2d5caf6d5
-
SSDEEP
12288:eQ3B7qgpCrbmZ7njOZkjS1MDP13+2O/+dKEy:gbm5nikjSCDPl6/+dKD
Score10/10-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-