General
-
Target
8994205416.zip
-
Size
170KB
-
Sample
230202-wsetdaaa84
-
MD5
66c610edd3c965275feddf625a4cee29
-
SHA1
1f21d21c56d79f0616e21747d90d8ac23be28e34
-
SHA256
734d09bb3476456c305f452854465f19d7efcc0c2d9ea7b94ee1fa15966f2198
-
SHA512
b4b7eec85dd9c47d4f0e1beaaf7e8f1da30ccbcbbd99c0d10e52ca37b1a562e7a0006c7d5f46cac41bb98212f30adbcbfccaeb3ebfbd1e468856ddb7ac890740
-
SSDEEP
3072:+svze3oCtwjhLab7jTTVkKApO++4niC05oHzymWpj19JjjjnLu4PGFbn:+qze3pwjgb7vCKr4izszymWpxGE6j
Malware Config
Extracted
wshrat
http://auto.stevenpartners.com:23015
Targets
-
-
Target
a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce
-
Size
285KB
-
MD5
eeacf758acc21133811bce63aa477ee7
-
SHA1
d2ed9bfbfb8dd47ac3120efc757f43adf3ce3dbf
-
SHA256
a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce
-
SHA512
fb97ce1cb831f48f5612976f8401d3eabd580ffb16375f24f53139cc3991a55028fe2a7668024c572b3a08f6e4ef4eca55bca974e07223e5b28901e650ff78b1
-
SSDEEP
6144:7DrOg9pEJX1WPNSrV8iLgENxGVc+2dfpMAZL6sXZ7lorHawkkt:7DrOrJXAPGZxGVsl6mlsNt
Score10/10-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-