General
-
Target
ORDER-230606_List.pdf.z
-
Size
743B
-
Sample
230609-q16zyada8x
-
MD5
25433bcfc0ecf4442108983d4906dffc
-
SHA1
cfb6becf2639af133667902fe82041e0e64a9864
-
SHA256
9342cb79d87d6805b418365e721122fe97de75de0764daebc7293c4a99fa22a6
-
SHA512
1092cbf386c8494958615b992f2b3646f264567c825287921333b766e218222d80c07806305e2e6dda74b33195ee74e60d9ec2ec92f827460af318148021e60d
Malware Config
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Targets
-
-
Target
ORDER-230606_List.pdf.js
-
Size
7KB
-
MD5
6dbb855f97d596832fdf8e69305c0eb8
-
SHA1
b5d5778f7a28da671bdb14eb7c796566761a44f4
-
SHA256
919ce7c9562ac3c75c038cee89f48b4ef7cc96e7e35ad85bebc2fff7a84fffdf
-
SHA512
8139f97b8c2712450325013eee8779bab6bbee03199b82ae50c8a7c67f68556b096b286dd71c7ada0a356bf78cb9454d7c483896eca455659ba624596766e215
-
SSDEEP
96:baKo33jkavQ9jRwGUvsvOwcvgGU83jwujQ9jRwGU+NyEujy48Eujy4U55FNda3Qg:H
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-