Overview

overview

10

Static

static

1

ORDER-2306...pdf.js

windows7-x64

8

ORDER-2306...pdf.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER-230606_List.pdf.z

  • Size

    743B

  • Sample

    230609-q16zyada8x

  • MD5

    25433bcfc0ecf4442108983d4906dffc

  • SHA1

    cfb6becf2639af133667902fe82041e0e64a9864

  • SHA256

    9342cb79d87d6805b418365e721122fe97de75de0764daebc7293c4a99fa22a6

  • SHA512

    1092cbf386c8494958615b992f2b3646f264567c825287921333b766e218222d80c07806305e2e6dda74b33195ee74e60d9ec2ec92f827460af318148021e60d

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      ORDER-230606_List.pdf.js

    • Size

      7KB

    • MD5

      6dbb855f97d596832fdf8e69305c0eb8

    • SHA1

      b5d5778f7a28da671bdb14eb7c796566761a44f4

    • SHA256

      919ce7c9562ac3c75c038cee89f48b4ef7cc96e7e35ad85bebc2fff7a84fffdf

    • SHA512

      8139f97b8c2712450325013eee8779bab6bbee03199b82ae50c8a7c67f68556b096b286dd71c7ada0a356bf78cb9454d7c483896eca455659ba624596766e215

    • SSDEEP

      96:baKo33jkavQ9jRwGUvsvOwcvgGU83jwujQ9jRwGU+NyEujy48Eujy4U55FNda3Qg:H

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks