General
-
Target
rORDER-023603_List.xls.vbs
-
Size
9KB
-
Sample
230604-rdt8ascd38
-
MD5
b66938f8b8ab81aef4aceeea87bbe7b5
-
SHA1
2f140f44c2f74ecff2e24dcb0b3fbd72080e090a
-
SHA256
5a6374adb1371c63cace395445818f4b83dcdd2494da86062b0ab3cbfb201e0b
-
SHA512
0f449d44022e9abec453180dae1f25e06fb538359c6cc52f3eb6efafb9b339f293f733284c73ac2b793fac97aee92df01eeed524c361ac0f7c35664a97dfd0bc
-
SSDEEP
48:bnlrCVFFIlV2rVboysaqbwYHppKZ2I0wiin5I2c1YleGE/+:jlrCnFSmzs/3IKin5I2c1Yle9m
Malware Config
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Targets
-
-
Target
rORDER-023603_List.xls.vbs
-
Size
9KB
-
MD5
b66938f8b8ab81aef4aceeea87bbe7b5
-
SHA1
2f140f44c2f74ecff2e24dcb0b3fbd72080e090a
-
SHA256
5a6374adb1371c63cace395445818f4b83dcdd2494da86062b0ab3cbfb201e0b
-
SHA512
0f449d44022e9abec453180dae1f25e06fb538359c6cc52f3eb6efafb9b339f293f733284c73ac2b793fac97aee92df01eeed524c361ac0f7c35664a97dfd0bc
-
SSDEEP
48:bnlrCVFFIlV2rVboysaqbwYHppKZ2I0wiin5I2c1YleGE/+:jlrCnFSmzs/3IKin5I2c1Yle9m
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-