Overview

overview

10

Static

static

1

Payment De...pdf.js

windows7-x64

10

Payment De...pdf.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment Details.pdf.js

  • Size

    3.0MB

  • Sample

    230220-n9qyzaad3y

  • MD5

    2e893ed360a5b3586ae13862a492652f

  • SHA1

    053d796519b37d69bf6650f92c5404ef9830ec43

  • SHA256

    ec20d0a098f22992a04e3b875996a6af49e023e929fea3e6192c7444fb80553f

  • SHA512

    f5720175d6383ac7053c1138d3c88c2b4f152985620771e595b698960e699268b3926b000adbf7cc53f184f9d6a5611b34ebad7810da4a973820e9f94af7afec

  • SSDEEP

    3072:gOMWWSK0P5mUSfibfWZN7T7VE+NFlC7575eGlGE32qXaj1slgD71dwMbb9rp6D9B:y1Ye4E/e/gElEiLnD

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      Payment Details.pdf.js

    • Size

      3.0MB

    • MD5

      2e893ed360a5b3586ae13862a492652f

    • SHA1

      053d796519b37d69bf6650f92c5404ef9830ec43

    • SHA256

      ec20d0a098f22992a04e3b875996a6af49e023e929fea3e6192c7444fb80553f

    • SHA512

      f5720175d6383ac7053c1138d3c88c2b4f152985620771e595b698960e699268b3926b000adbf7cc53f184f9d6a5611b34ebad7810da4a973820e9f94af7afec

    • SSDEEP

      3072:gOMWWSK0P5mUSfibfWZN7T7VE+NFlC7575eGlGE32qXaj1slgD71dwMbb9rp6D9B:y1Ye4E/e/gElEiLnD

    Score
    10/10
    vjw0rmwshratpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks