Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    424KB

  • Sample

    230422-jvym2sdf66

  • MD5

    e94871c8a2bc386e5c4310db63c30502

  • SHA1

    8c693844dd55b5427af7476998327dfccec2720e

  • SHA256

    74cbe760521247712b2230fb7e7d6f7aa1ad716c66047197a992e05fde14996b

  • SHA512

    05b4df6e4d85e93b5da002420b47ecd7a6b6ac0d4d41964c0027b179abb1cafd49cc583c94db2a0a7bc503a4eee164fe3b414325aeecbad20128d3faf638e1d7

  • SSDEEP

    6144:/Ya6qtsbZWSoWvYDoykr2U6uV/JytIXbu90ElEGTI6nl5nrDQnveub7Kv:/YktsbZWcvKevytIr1ElW6lRQnHXKv

Score
10/10
wshratpersistencetrojan

Malware Config

Targets

    • Target

      tmp

    • Size

      424KB

    • MD5

      e94871c8a2bc386e5c4310db63c30502

    • SHA1

      8c693844dd55b5427af7476998327dfccec2720e

    • SHA256

      74cbe760521247712b2230fb7e7d6f7aa1ad716c66047197a992e05fde14996b

    • SHA512

      05b4df6e4d85e93b5da002420b47ecd7a6b6ac0d4d41964c0027b179abb1cafd49cc583c94db2a0a7bc503a4eee164fe3b414325aeecbad20128d3faf638e1d7

    • SSDEEP

      6144:/Ya6qtsbZWSoWvYDoykr2U6uV/JytIXbu90ElEGTI6nl5nrDQnveub7Kv:/YktsbZWcvKevytIr1ElW6lRQnHXKv

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WSHRAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks