Overview

overview

10

Static

static

1

05162023.js

windows7-x64

10

05162023.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    05162023.js

  • Size

    992KB

  • Sample

    230519-hfsmtafe68

  • MD5

    261c683cdd89ac3ca4bbbd2fd7293c7f

  • SHA1

    9bf5f09bfb3260d4fea80896c3bb1b3354cb714f

  • SHA256

    0953de8a253fe24fc1a889c903f246a455daf9d5f608931fecbf07bc6f9690cc

  • SHA512

    f517e598e7b73cf2bf828ca1ef8e181dd6950bc41126f04fc768e6137bd4debbb169c9e5544968d395c3d50441e721b64b1b4f6789520058afa686bc409a80b7

  • SSDEEP

    3072:y87FJ6J9iYlueZkFrOdvQzU6FOoctj06BTZf4pcLYnGMhfWVbCh3:y87FJ6J9iYlueZkFrq06ff4pH0gh3

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Targets

    • Target

      05162023.js

    • Size

      992KB

    • MD5

      261c683cdd89ac3ca4bbbd2fd7293c7f

    • SHA1

      9bf5f09bfb3260d4fea80896c3bb1b3354cb714f

    • SHA256

      0953de8a253fe24fc1a889c903f246a455daf9d5f608931fecbf07bc6f9690cc

    • SHA512

      f517e598e7b73cf2bf828ca1ef8e181dd6950bc41126f04fc768e6137bd4debbb169c9e5544968d395c3d50441e721b64b1b4f6789520058afa686bc409a80b7

    • SSDEEP

      3072:y87FJ6J9iYlueZkFrOdvQzU6FOoctj06BTZf4pcLYnGMhfWVbCh3:y87FJ6J9iYlueZkFrq06ff4pH0gh3

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Nirsoft

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks