Overview

overview

10

Static

static

1

Spec00301.js

windows7-x64

10

Spec00301.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Spec00301.js

  • Size

    1.1MB

  • Sample

    230519-hfsmtafe67

  • MD5

    2640b5851d4ff75bfc5c3ddf9cea67c7

  • SHA1

    377210fc1a662564fc2c88e0ee974b992bd396eb

  • SHA256

    51dd8819906a735ebf6cc646da4d4ed23937e66b39a55b0dca5b01e7a0ce3f6d

  • SHA512

    35ac8196a02b9e1a70cb8cc144b668f38eea87ba5645d102f384e7888423304108fe40d0b762e51d813cf1dbfbec1554c4dd1ef08f89718e17de6bc2a8821615

  • SSDEEP

    3072:znsMGGRlz5Hay9mgUAbud4dGkgvsGHgke6K7lV:R9ml4dGUmK7D

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Targets

    • Target

      Spec00301.js

    • Size

      1.1MB

    • MD5

      2640b5851d4ff75bfc5c3ddf9cea67c7

    • SHA1

      377210fc1a662564fc2c88e0ee974b992bd396eb

    • SHA256

      51dd8819906a735ebf6cc646da4d4ed23937e66b39a55b0dca5b01e7a0ce3f6d

    • SHA512

      35ac8196a02b9e1a70cb8cc144b668f38eea87ba5645d102f384e7888423304108fe40d0b762e51d813cf1dbfbec1554c4dd1ef08f89718e17de6bc2a8821615

    • SSDEEP

      3072:znsMGGRlz5Hay9mgUAbud4dGkgvsGHgke6K7lV:R9ml4dGUmK7D

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Nirsoft

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks