General
-
Target
Request For Quotation.js
-
Size
1.0MB
-
Sample
230601-saffeaeg88
-
MD5
487375104a5fa7cb031f6da568ca65ec
-
SHA1
139429d45ba1f46d0bfe2d482b7f759239fa2b4a
-
SHA256
8f7d98aa6507d36a55f21687746b93034dd00c2e5a0c8af19dc3815b324fa194
-
SHA512
6cf4eb5a444f276ff9facce736a03226c8cd5e3245d969cf28af7130515f6b859afe178ceeedec9ff8f404ca14e1611ec64223aa5f72668f5bf1403c6b010264
-
SSDEEP
3072:QQ+8zkVUxDEuM3dQ45rhFGkBt6EURY3hPvx:QQ+8zkVUxDEuM3dFh
Malware Config
Extracted
wshrat
http://harold.2waky.com:3609
Targets
-
-
Target
Request For Quotation.js
-
Size
1.0MB
-
MD5
487375104a5fa7cb031f6da568ca65ec
-
SHA1
139429d45ba1f46d0bfe2d482b7f759239fa2b4a
-
SHA256
8f7d98aa6507d36a55f21687746b93034dd00c2e5a0c8af19dc3815b324fa194
-
SHA512
6cf4eb5a444f276ff9facce736a03226c8cd5e3245d969cf28af7130515f6b859afe178ceeedec9ff8f404ca14e1611ec64223aa5f72668f5bf1403c6b010264
-
SSDEEP
3072:QQ+8zkVUxDEuM3dQ45rhFGkBt6EURY3hPvx:QQ+8zkVUxDEuM3dFh
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-