General
-
Target
05212023840.js
-
Size
1.0MB
-
Sample
230522-krm8ksfb74
-
MD5
9ccea994750b4d63ec5ef4a705f4855e
-
SHA1
334b5f78ce8d2a73fdb551acd389991552c39b3b
-
SHA256
b32f3e7d67e21bf2d40dec620a6f2a1b471847af427f924ed28b72633b9b6c40
-
SHA512
736c4ad5122bf6da2cb3adedebeea007f39f707b661f651114ea08cf33521c916e1a802701f4ea1e71767e78f913ddd0b01cfeb97b407a8a2b20d2e4c6f5079c
-
SSDEEP
3072:Cm0EaAcTqGaSqBHJZieEDQjb98Ztp8i8Jkzh:Cm0EaAcTqGaSqBHJZutUGzh
Malware Config
Extracted
wshrat
http://45.90.222.125:7121
Targets
-
-
Target
05212023840.js
-
Size
1.0MB
-
MD5
9ccea994750b4d63ec5ef4a705f4855e
-
SHA1
334b5f78ce8d2a73fdb551acd389991552c39b3b
-
SHA256
b32f3e7d67e21bf2d40dec620a6f2a1b471847af427f924ed28b72633b9b6c40
-
SHA512
736c4ad5122bf6da2cb3adedebeea007f39f707b661f651114ea08cf33521c916e1a802701f4ea1e71767e78f913ddd0b01cfeb97b407a8a2b20d2e4c6f5079c
-
SSDEEP
3072:Cm0EaAcTqGaSqBHJZieEDQjb98Ztp8i8Jkzh:Cm0EaAcTqGaSqBHJZutUGzh
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-