Overview

overview

10

Static

static

1

7133dc35b5...9e1.js

windows7-x64

10

7133dc35b5...9e1.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2ccb346e287c2eaaf1954e289d85bb90.bin

  • Size

    217KB

  • Sample

    230528-blevkseb8w

  • MD5

    a951e5813aab58292d61b6ce9b9dc350

  • SHA1

    20005100929f4f1f2770925b6ec9b3c514cfe332

  • SHA256

    421eba1200bceb1ca0a67b6d0ce9b2f659b09e45efe04d7d173e7a738c4ccae5

  • SHA512

    8ff7e01bf9d09fcb76fdcdb4257276b1f8e39543757db25c2ac1f03ddbe534beea77cb760a7550d4a1e6f254ef2a68991f0c805420fe7a5687de787ee4f2c436

  • SSDEEP

    6144:1xAwNYRNl0Jp670DGQk1jDLCO+SD78jXQG2igrd:1xMRNjklk1jDLCKf8jgG2hrd

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Targets

    • Target

      7133dc35b5ca15d27934a2ebaeb71ca36987752e34b65f87a9507ac02381a9e1.js

    • Size

      1.1MB

    • MD5

      2ccb346e287c2eaaf1954e289d85bb90

    • SHA1

      589b523fdf4feadab37b5ca37f3940b9e068935a

    • SHA256

      7133dc35b5ca15d27934a2ebaeb71ca36987752e34b65f87a9507ac02381a9e1

    • SHA512

      7219218464cbc5b14c33a7b41208ce23608931c6d9e9bd7524f72039d0cb016e256e0f18b3d3f6140a50e058f01d21a5b275a89406b88c0b347b24d6c44efca4

    • SSDEEP

      6144:QQ87FYrGNaJRpypQNKpSoZWaOHWFgqvUe/i7EnI1jtImrA/dgtrltwgV2X4EJIgq:T61wzl

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks