Overview

overview

10

Static

static

1

37c5330acc...657.js

windows7-x64

10

37c5330acc...657.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bcf2d9bfddeec58c7adfb7b85a6b179e.bin

  • Size

    214KB

  • Sample

    230519-ccswhsee52

  • MD5

    d01d3df76404cacd7dc954cdda51c30b

  • SHA1

    ece7299ed4297151df5ebec29b2ef406d7e9d5ff

  • SHA256

    ef75121bade3a31c981d6086a09633a2965380f954e6496c491e21d27c7dabc1

  • SHA512

    b94e0f884548d1e61c81eec3de6b57a60c7c44c25a696b119bb868064df78c7943bd25c009fcf565b1beaf6394009c5fdde6deca8ca36e60a48a0131a865ecfd

  • SSDEEP

    6144:XvKZLJP6RHn6HJDM0+CYh3QKWOgHDgZQm:XSVJPEmJDt+CofZQm

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:1604

Targets

    • Target

      37c5330acc675d94efd73294e5e3942362437c611a6fc39ca19b6a8fd4afb657.js

    • Size

      983KB

    • MD5

      bcf2d9bfddeec58c7adfb7b85a6b179e

    • SHA1

      bf7c734f61cf2138932782a4a7c4873084168082

    • SHA256

      37c5330acc675d94efd73294e5e3942362437c611a6fc39ca19b6a8fd4afb657

    • SHA512

      34d3819a269e254df91355df35d871b76577f0067275f2aac18c34a76913c08b7fe1b4a434e8b444e13253a4dbed4984dfe40a85803e218fd5d4c0866072be0b

    • SSDEEP

      6144:QQa4dEoQA8gY1J3H2gzGs/f99tz/NpjQiVAOB199LWqm0amhAuP+jLCHw7oIncrX:TVk

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks