Overview

overview

10

Static

static

1

Request Fo...ion.js

windows7-x64

10

Request Fo...ion.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Request For Quotation.xz

  • Size

    202KB

  • Sample

    230714-mwjgasdc46

  • MD5

    eb22ff9e3559982a0e8e42d1e1030835

  • SHA1

    2b96f97045e71adbb890a2cda60c4e969b132bd4

  • SHA256

    712b6c5a744401fc648b910cca5d3f4529722d8eb85cb9f16b19b0495ff058bc

  • SHA512

    ab8dc450aefa57174a6ef90241f8fa1390ec3261200c69405403c81bb02414ef7c831e60471f832144253796a2d7c09cebfecf278f8b55f5f988bdfdb51e4590

  • SSDEEP

    6144:5KnwDkanQFCIStB8d1/5MDWY6VkLnkCphjHBT:InwDkgI+B8CDRmkLPphjHBT

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Targets

    • Target

      Request For Quotation.js

    • Size

      941KB

    • MD5

      8b3ad681d5649f4c1955096bc04bfe18

    • SHA1

      09ef01f730ceef26760567522dfe3e87f59afc8a

    • SHA256

      31c2e51efcbff0aa489aa6af1a48cf78f6a9febfb449a19d029f8cc8ebb4495f

    • SHA512

      20ec006e32344b25757c5e67ff5b0a2f6880cf4d991b9d9e32bf3c4a42e4f849ce7abc30a5e8b006e024861c4ee2628a5958ba9a82a7e057acbd6b9b5dced2ab

    • SSDEEP

      6144:QQ9uAGLJjAtJ5uRtO+I5rHjqOcT8cZ3JijlE2LN00moJpVMqZ76SVLY6QT4AFe0V:TG

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks