Overview

overview

10

Static

static

1

ORDER-23788.xls.js

windows7-x64

8

ORDER-23788.xls.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER-23788.xls.js

  • Size

    7KB

  • Sample

    230725-wm1tnaeg77

  • MD5

    6b57f84625e48278f611de466e10dea9

  • SHA1

    61432ddbd911264ce613f1549ab33f9635d446dd

  • SHA256

    4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a

  • SHA512

    6608bff89995d80ef243bdff96c2dd9a1f29a377fdf128e819d0ffde30ef23befbe8af4ca5550692052d34223839d54d016d6a4ac6a14d3559fc36aeaff782aa

  • SSDEEP

    96:MUf+CjnaYRApwXr7HRPNYtQH3srX2zWwPhHr/trkOHr+wc+i:O3PN

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      ORDER-23788.xls.js

    • Size

      7KB

    • MD5

      6b57f84625e48278f611de466e10dea9

    • SHA1

      61432ddbd911264ce613f1549ab33f9635d446dd

    • SHA256

      4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a

    • SHA512

      6608bff89995d80ef243bdff96c2dd9a1f29a377fdf128e819d0ffde30ef23befbe8af4ca5550692052d34223839d54d016d6a4ac6a14d3559fc36aeaff782aa

    • SSDEEP

      96:MUf+CjnaYRApwXr7HRPNYtQH3srX2zWwPhHr/trkOHr+wc+i:O3PN

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WSHRAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks