Overview

overview

10

Static

static

1

Payment proof.js

windows7-x64

10

Payment proof.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment proof.js

  • Size

    1003KB

  • Sample

    230401-h9jl1aaa7z

  • MD5

    9e733fa24be87845ac6194184afb59a2

  • SHA1

    962dfe219a3892d2ad653ddd29c2473664fec69f

  • SHA256

    bef0a4f7c95c95f7591e26dcbef32018614915ba62a9a65040d39b7de2e32299

  • SHA512

    ff405ea9375bda5c2f8a512d6c8364f912a8c6f0147ac59d47c025a89b1dbb5471a3a7a9bab8ffa313097aa074d302c7b00be6575f77d0922843fcac0d08ea09

  • SSDEEP

    3072:GQueMnqPJqQSV4dWCMwGpAstU60gzxuxJ0ILpj4jYfc:GQueMnqPJqQSV4dWCMxU60gzxurG

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Targets

    • Target

      Payment proof.js

    • Size

      1003KB

    • MD5

      9e733fa24be87845ac6194184afb59a2

    • SHA1

      962dfe219a3892d2ad653ddd29c2473664fec69f

    • SHA256

      bef0a4f7c95c95f7591e26dcbef32018614915ba62a9a65040d39b7de2e32299

    • SHA512

      ff405ea9375bda5c2f8a512d6c8364f912a8c6f0147ac59d47c025a89b1dbb5471a3a7a9bab8ffa313097aa074d302c7b00be6575f77d0922843fcac0d08ea09

    • SSDEEP

      3072:GQueMnqPJqQSV4dWCMwGpAstU60gzxuxJ0ILpj4jYfc:GQueMnqPJqQSV4dWCMxU60gzxurG

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks