Overview

overview

10

Static

static

1

Tax Return...765.js

windows7-x64

10

Tax Return...765.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Tax Returns of R58,765.js

  • Size

    922KB

  • Sample

    230519-tpm98shd6z

  • MD5

    328c532dbdb1c8476def9b91f98230d9

  • SHA1

    abd932482e30b79d29a481a1fa448e7e907a4948

  • SHA256

    a29300445badc2587283db55eff6ecd93fcb489bf2c4ac94a2d756c96f73b035

  • SHA512

    52e235eeac356b6b83a83e46b910c8c11f1c149936c27f824946982dd73167205e8e7200c9c76d1ba2743974856e010afd72e28248a5e99270e52a9150384e4a

  • SSDEEP

    6144:QQ9aF0K7PD3n1NtwFfDEqD4Acy+GJIIyoEHwdCRslR/Y1FnW/ceZ0CYZ3a0W3Od2:TI6oje

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Targets

    • Target

      Tax Returns of R58,765.js

    • Size

      922KB

    • MD5

      328c532dbdb1c8476def9b91f98230d9

    • SHA1

      abd932482e30b79d29a481a1fa448e7e907a4948

    • SHA256

      a29300445badc2587283db55eff6ecd93fcb489bf2c4ac94a2d756c96f73b035

    • SHA512

      52e235eeac356b6b83a83e46b910c8c11f1c149936c27f824946982dd73167205e8e7200c9c76d1ba2743974856e010afd72e28248a5e99270e52a9150384e4a

    • SSDEEP

      6144:QQ9aF0K7PD3n1NtwFfDEqD4Acy+GJIIyoEHwdCRslR/Y1FnW/ceZ0CYZ3a0W3Od2:TI6oje

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks