General
-
Target
bcf2d9bfddeec58c7adfb7b85a6b179e.bin
-
Size
214KB
-
Sample
230519-ccswhsee52
-
MD5
d01d3df76404cacd7dc954cdda51c30b
-
SHA1
ece7299ed4297151df5ebec29b2ef406d7e9d5ff
-
SHA256
ef75121bade3a31c981d6086a09633a2965380f954e6496c491e21d27c7dabc1
-
SHA512
b94e0f884548d1e61c81eec3de6b57a60c7c44c25a696b119bb868064df78c7943bd25c009fcf565b1beaf6394009c5fdde6deca8ca36e60a48a0131a865ecfd
-
SSDEEP
6144:XvKZLJP6RHn6HJDM0+CYh3QKWOgHDgZQm:XSVJPEmJDt+CofZQm
Malware Config
Extracted
wshrat
http://harold.2waky.com:1604
Targets
-
-
Target
37c5330acc675d94efd73294e5e3942362437c611a6fc39ca19b6a8fd4afb657.js
-
Size
983KB
-
MD5
bcf2d9bfddeec58c7adfb7b85a6b179e
-
SHA1
bf7c734f61cf2138932782a4a7c4873084168082
-
SHA256
37c5330acc675d94efd73294e5e3942362437c611a6fc39ca19b6a8fd4afb657
-
SHA512
34d3819a269e254df91355df35d871b76577f0067275f2aac18c34a76913c08b7fe1b4a434e8b444e13253a4dbed4984dfe40a85803e218fd5d4c0866072be0b
-
SSDEEP
6144:QQa4dEoQA8gY1J3H2gzGs/f99tz/NpjQiVAOB199LWqm0amhAuP+jLCHw7oIncrX:TVk
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-