General
-
Target
d7d4bde73f37306d955f0bfb63a8d002.bin
-
Size
310KB
-
Sample
230130-ydj6nadh8t
-
MD5
f2146bb0e3024bcbb4df63d62ba69ab8
-
SHA1
0c2c54ba56b4347dc93c662f5c0f0131b6163c3b
-
SHA256
07df11b39873affcb74898f246bad8a6f8d2787a2bf5b3aa36396758b987c25d
-
SHA512
65bab48b1e6f6b3c4cc4c9a64acbe5197b63c2994a1690e82a5bd5c327c61f2d6f311225ce5f2d6a106ec2b57334405918130b43eb19923c504b0d73e713bd70
-
SSDEEP
6144:woMBsTvvTkKu1ZcQCTvKCaQKb/SUE48MbujFWoMyGCrTMLgt0txLX2sn:woMCTgZAQiiCIb/SUTqjZML9tdXPn
Malware Config
Extracted
wshrat
http://auto.stevenpartners.com:23015
Targets
-
-
Target
da924bd600bfab2b3d7647fadf31593747aac941e083856d8bcedaa021da4b7a.js
-
Size
1.2MB
-
MD5
d7d4bde73f37306d955f0bfb63a8d002
-
SHA1
843b86723b5c6113b1ab20756b98d3c8221db031
-
SHA256
da924bd600bfab2b3d7647fadf31593747aac941e083856d8bcedaa021da4b7a
-
SHA512
a61e46c3dda203705a7f28a86f2534e729c5f9dbcb267c821d47268391424851d4157bdb772b3c3a82c935b4ee1a987fa803d3c956df1f5ec68947f2d5caf6d5
-
SSDEEP
12288:eQ3B7qgpCrbmZ7njOZkjS1MDP13+2O/+dKEy:gbm5nikjSCDPl6/+dKD
Score10/10-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-