General
-
Target
OrderPO22170555823612pg.js
-
Size
3.5MB
-
Sample
230518-gm1rbshh32
-
MD5
67d595a490ca50d4616e9aba4fb4bfe9
-
SHA1
b383bffa308581381d6f4b97974b37c002bf323b
-
SHA256
1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec
-
SHA512
e1f595ba83b85fe7a9017b8bdb7411968f622b7fd57b46fc4a9d2f6dc269e5bd3bc6bef6efbfd68c2a95a930291d682078acb9021edd63b573194823289b37f4
-
SSDEEP
24576:I5iGHLJMwn013Jk0567dGoDOlYGG/FKSfuG6eGL1X8wZJtDWWqHow8U1MN2YucKR:Vq
Malware Config
Extracted
wshrat
http://141.98.6.239:5000
Targets
-
-
Target
OrderPO22170555823612pg.js
-
Size
3.5MB
-
MD5
67d595a490ca50d4616e9aba4fb4bfe9
-
SHA1
b383bffa308581381d6f4b97974b37c002bf323b
-
SHA256
1543bfaa499ff7f817f62a9014d60eba43518ada057c4ec4ba29fb6de35982ec
-
SHA512
e1f595ba83b85fe7a9017b8bdb7411968f622b7fd57b46fc4a9d2f6dc269e5bd3bc6bef6efbfd68c2a95a930291d682078acb9021edd63b573194823289b37f4
-
SSDEEP
24576:I5iGHLJMwn013Jk0567dGoDOlYGG/FKSfuG6eGL1X8wZJtDWWqHow8U1MN2YucKR:Vq
Score10/10-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-