Overview

overview

10

Static

static

1

proof of payment.js

windows7-x64

10

proof of payment.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    proof of payment.js

  • Size

    1.0MB

  • Sample

    230403-pnx1tsef52

  • MD5

    268465fb352ba7fcdc2962fa61ef4297

  • SHA1

    7bf12c70c9f1a33dd3d4a1856dbb47b117747857

  • SHA256

    5e1adbfff93bc6cb24e86022f3729ae05ed44fdf7057951117b87c7ff135aab3

  • SHA512

    2d0b68fe6ee1c1079a8df6375d9d99c023a1b8526c394a9599be720aeab0d1ecd9617332b6f4cdd3342bdda3e79f3657a8cb92272522ddec805c51af2aa05fe4

  • SSDEEP

    3072:MQI+0S8VOIWMXib7SWGbgLC+DWvBLwSwfoPp:MQoxJwQh

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Targets

    • Target

      proof of payment.js

    • Size

      1.0MB

    • MD5

      268465fb352ba7fcdc2962fa61ef4297

    • SHA1

      7bf12c70c9f1a33dd3d4a1856dbb47b117747857

    • SHA256

      5e1adbfff93bc6cb24e86022f3729ae05ed44fdf7057951117b87c7ff135aab3

    • SHA512

      2d0b68fe6ee1c1079a8df6375d9d99c023a1b8526c394a9599be720aeab0d1ecd9617332b6f4cdd3342bdda3e79f3657a8cb92272522ddec805c51af2aa05fe4

    • SSDEEP

      3072:MQI+0S8VOIWMXib7SWGbgLC+DWvBLwSwfoPp:MQoxJwQh

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks