Overview

overview

10

Static

static

1

Proof of payment.js

windows7-x64

10

Proof of payment.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Proof of payment.js

  • Size

    1.1MB

  • Sample

    230419-tmdysadf7t

  • MD5

    07948d4c14243ac4b4eaf9a0230ec5b5

  • SHA1

    185fb7dd9090676f5ad5f25273a7995ca2b9c1a1

  • SHA256

    b10629b039634989764ba8d45aaa4ea06482e770d2ad9ee436d4fe0d4eff9144

  • SHA512

    c1e00563bf710d3e5a516c9a72968a35096d2c6b8571f341e4639bf3b0a0a85bb4f5c102a39c7daf9c4cd366bcb820b4ddcd3413e75c4a11a6972a0862ce0cf6

  • SSDEEP

    3072:QQToJ8BgSQIp0Ptzlk69MkT3QvWEYye6mTKAl:QQTstMkT6ed

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:1604

Targets

    • Target

      Proof of payment.js

    • Size

      1.1MB

    • MD5

      07948d4c14243ac4b4eaf9a0230ec5b5

    • SHA1

      185fb7dd9090676f5ad5f25273a7995ca2b9c1a1

    • SHA256

      b10629b039634989764ba8d45aaa4ea06482e770d2ad9ee436d4fe0d4eff9144

    • SHA512

      c1e00563bf710d3e5a516c9a72968a35096d2c6b8571f341e4639bf3b0a0a85bb4f5c102a39c7daf9c4cd366bcb820b4ddcd3413e75c4a11a6972a0862ce0cf6

    • SSDEEP

      3072:QQToJ8BgSQIp0Ptzlk69MkT3QvWEYye6mTKAl:QQTstMkT6ed

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks