Overview

overview

10

Static

static

1

05212023840.js

windows7-x64

10

05212023840.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    05212023840.js

  • Size

    1.0MB

  • Sample

    230522-krm8ksfb74

  • MD5

    9ccea994750b4d63ec5ef4a705f4855e

  • SHA1

    334b5f78ce8d2a73fdb551acd389991552c39b3b

  • SHA256

    b32f3e7d67e21bf2d40dec620a6f2a1b471847af427f924ed28b72633b9b6c40

  • SHA512

    736c4ad5122bf6da2cb3adedebeea007f39f707b661f651114ea08cf33521c916e1a802701f4ea1e71767e78f913ddd0b01cfeb97b407a8a2b20d2e4c6f5079c

  • SSDEEP

    3072:Cm0EaAcTqGaSqBHJZieEDQjb98Ztp8i8Jkzh:Cm0EaAcTqGaSqBHJZutUGzh

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Targets

    • Target

      05212023840.js

    • Size

      1.0MB

    • MD5

      9ccea994750b4d63ec5ef4a705f4855e

    • SHA1

      334b5f78ce8d2a73fdb551acd389991552c39b3b

    • SHA256

      b32f3e7d67e21bf2d40dec620a6f2a1b471847af427f924ed28b72633b9b6c40

    • SHA512

      736c4ad5122bf6da2cb3adedebeea007f39f707b661f651114ea08cf33521c916e1a802701f4ea1e71767e78f913ddd0b01cfeb97b407a8a2b20d2e4c6f5079c

    • SSDEEP

      3072:Cm0EaAcTqGaSqBHJZieEDQjb98Ztp8i8Jkzh:Cm0EaAcTqGaSqBHJZutUGzh

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks