Overview

overview

10

Static

static

1

03720230050.js

windows7-x64

10

03720230050.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    03720230050.js

  • Size

    1.3MB

  • Sample

    230308-zw6m2sha83

  • MD5

    a2d87864e4ae3f37438382c7059d1db8

  • SHA1

    e9fb58de42c5a06f79f2e5121240134402a6c61c

  • SHA256

    8238be6c23aee13f83faffb0a2ac1abcb1a698fd87c48aa8f2cd2a36a4a29140

  • SHA512

    e283e05fb8d43bb1955a47df1ce89834133c45f98b738df775112be8c122cb4d902e637424901ef6cb31d494f834c8bb05cf629743bb2d2e66f4724bca9e8fbf

  • SSDEEP

    6144:m427cWqyvMWQ4jn9SLjCFmKm+GkM27AhrqxV4ENyrWVvBUk/h+N+ZzGwRmwTeXOZ:sP

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Targets

    • Target

      03720230050.js

    • Size

      1.3MB

    • MD5

      a2d87864e4ae3f37438382c7059d1db8

    • SHA1

      e9fb58de42c5a06f79f2e5121240134402a6c61c

    • SHA256

      8238be6c23aee13f83faffb0a2ac1abcb1a698fd87c48aa8f2cd2a36a4a29140

    • SHA512

      e283e05fb8d43bb1955a47df1ce89834133c45f98b738df775112be8c122cb4d902e637424901ef6cb31d494f834c8bb05cf629743bb2d2e66f4724bca9e8fbf

    • SSDEEP

      6144:m427cWqyvMWQ4jn9SLjCFmKm+GkM27AhrqxV4ENyrWVvBUk/h+N+ZzGwRmwTeXOZ:sP

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Nirsoft

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks