General
-
Target
06858399.js
-
Size
1010KB
-
Sample
230612-nxwcxsbh66
-
MD5
05f7dda308f1bc24abadf8aa3371330b
-
SHA1
aa06855668ac9804721adacbc152ff0c302562cc
-
SHA256
00460e8f2804e45011d3aaf0981b3124fc61bd67a529c8037ae23760fe4a4a52
-
SHA512
584b38cd5c00fc67a1bbe11d0d76933ab688dc5cdf307729f6a0a230fa63cdb0402e3ea2bdb9c5adbdd89e8f223e04664754e5878bcf7769482d97938c1a7fe7
-
SSDEEP
3072:7jqQUG/tGfT5hmFesTlDxVa9H8EHGK125p5DE0VsW3ikFBWdtm++fm6KMZ8:7jqQUG/tGfT5hmFesT1xKNoisI
Malware Config
Extracted
wshrat
http://45.90.222.125:7121
Targets
-
-
Target
06858399.js
-
Size
1010KB
-
MD5
05f7dda308f1bc24abadf8aa3371330b
-
SHA1
aa06855668ac9804721adacbc152ff0c302562cc
-
SHA256
00460e8f2804e45011d3aaf0981b3124fc61bd67a529c8037ae23760fe4a4a52
-
SHA512
584b38cd5c00fc67a1bbe11d0d76933ab688dc5cdf307729f6a0a230fa63cdb0402e3ea2bdb9c5adbdd89e8f223e04664754e5878bcf7769482d97938c1a7fe7
-
SSDEEP
3072:7jqQUG/tGfT5hmFesTlDxVa9H8EHGK125p5DE0VsW3ikFBWdtm++fm6KMZ8:7jqQUG/tGfT5hmFesT1xKNoisI
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-