General
-
Target
ORDER-234478F_List.pdf.js
-
Size
7KB
-
Sample
230617-gmjg2saa9s
-
MD5
0ab27c39f953786426a1814c3d78e273
-
SHA1
c2dafee3036af7f6940590e434a216ea5cc4d31e
-
SHA256
3628879ea59a4964b27d1e795c4b2af22dd1622727c9a1524b483bdf2576f350
-
SHA512
f24cf3b39e4fb5a5ecfde536ab9f4305ded62602dac27ab922a3d779ae6cc65595fc70e3fc7574696b6848144f7d434814d71d0f93c3221280b5a00ebc13cf11
-
SSDEEP
96:cwJIRiOFFIR8PbXG5u+bcvDT9IR1up4zmE+JaXIR8myoJ:c84kaDpqek/2
Malware Config
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Targets
-
-
Target
ORDER-234478F_List.pdf.js
-
Size
7KB
-
MD5
0ab27c39f953786426a1814c3d78e273
-
SHA1
c2dafee3036af7f6940590e434a216ea5cc4d31e
-
SHA256
3628879ea59a4964b27d1e795c4b2af22dd1622727c9a1524b483bdf2576f350
-
SHA512
f24cf3b39e4fb5a5ecfde536ab9f4305ded62602dac27ab922a3d779ae6cc65595fc70e3fc7574696b6848144f7d434814d71d0f93c3221280b5a00ebc13cf11
-
SSDEEP
96:cwJIRiOFFIR8PbXG5u+bcvDT9IR1up4zmE+JaXIR8myoJ:c84kaDpqek/2
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-