General

  • Target

    6b57f84625e48278f611de466e10dea9.bin

  • Size

    929B

  • Sample

    230727-bszhkagh24

  • MD5

    094b7568b6ec6d7eba2690ee3e98a69f

  • SHA1

    94849883fce98d6fc9b92b8731fa168343b5b79b

  • SHA256

    bc29798c8671a3ac240a0d34e8f99003466ede8cf6902f8de9c0e9e640dd454b

  • SHA512

    97e89bc903e1bfe399ecf03a77498239d0b16775c712d10c20f3766850c26abd48e63cd69b5eef63c3145cd55a811ae56a1d5f431acac21c11dfdb9c6844d600

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a.js

    • Size

      7KB

    • MD5

      6b57f84625e48278f611de466e10dea9

    • SHA1

      61432ddbd911264ce613f1549ab33f9635d446dd

    • SHA256

      4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a

    • SHA512

      6608bff89995d80ef243bdff96c2dd9a1f29a377fdf128e819d0ffde30ef23befbe8af4ca5550692052d34223839d54d016d6a4ac6a14d3559fc36aeaff782aa

    • SSDEEP

      96:MUf+CjnaYRApwXr7HRPNYtQH3srX2zWwPhHr/trkOHr+wc+i:O3PN

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks