Overview

overview

10

Static

static

1

Scan00518.js

windows7-x64

10

Scan00518.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan00518.js

  • Size

    1.1MB

  • Sample

    230522-kszb8saa2s

  • MD5

    e6aa5b35052a7db7a2fd0e5efb6216e0

  • SHA1

    63e7eaf2ed555512f6a8f9c19844671ec6b36c49

  • SHA256

    2a773f8a565116d3d666fddc8a0d767497562b0f65530a71a15dd3f4fd09765f

  • SHA512

    f3da3de0809110a59c6e8e720b8fe6a414106872232dfeded1221e1aedbc848c6233d80f1c8e6b3f68e10b9a7ab29359fcc03950a8a974a1e7d1527be86c6a5d

  • SSDEEP

    1536:0N86LJBJZtqptvmDekNXSuR7skySWihwEaREBRbyHWhZiyX2jhEXEehgwNhNylr7:2sKar

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Targets

    • Target

      Scan00518.js

    • Size

      1.1MB

    • MD5

      e6aa5b35052a7db7a2fd0e5efb6216e0

    • SHA1

      63e7eaf2ed555512f6a8f9c19844671ec6b36c49

    • SHA256

      2a773f8a565116d3d666fddc8a0d767497562b0f65530a71a15dd3f4fd09765f

    • SHA512

      f3da3de0809110a59c6e8e720b8fe6a414106872232dfeded1221e1aedbc848c6233d80f1c8e6b3f68e10b9a7ab29359fcc03950a8a974a1e7d1527be86c6a5d

    • SSDEEP

      1536:0N86LJBJZtqptvmDekNXSuR7skySWihwEaREBRbyHWhZiyX2jhEXEehgwNhNylr7:2sKar

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Nirsoft

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks