General
-
Target
6b57f84625e48278f611de466e10dea9.bin
-
Size
929B
-
Sample
230727-bszhkagh24
-
MD5
094b7568b6ec6d7eba2690ee3e98a69f
-
SHA1
94849883fce98d6fc9b92b8731fa168343b5b79b
-
SHA256
bc29798c8671a3ac240a0d34e8f99003466ede8cf6902f8de9c0e9e640dd454b
-
SHA512
97e89bc903e1bfe399ecf03a77498239d0b16775c712d10c20f3766850c26abd48e63cd69b5eef63c3145cd55a811ae56a1d5f431acac21c11dfdb9c6844d600
Static task
static1
Behavioral task
behavioral1
Sample
4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a.js
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a.js
Resource
win10v2004-20230703-en
Malware Config
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Targets
-
-
Target
4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a.js
-
Size
7KB
-
MD5
6b57f84625e48278f611de466e10dea9
-
SHA1
61432ddbd911264ce613f1549ab33f9635d446dd
-
SHA256
4b88ca8115abf6400f900d9eeadd9793806c3c4314868bb6080e88b697ecef1a
-
SHA512
6608bff89995d80ef243bdff96c2dd9a1f29a377fdf128e819d0ffde30ef23befbe8af4ca5550692052d34223839d54d016d6a4ac6a14d3559fc36aeaff782aa
-
SSDEEP
96:MUf+CjnaYRApwXr7HRPNYtQH3srX2zWwPhHr/trkOHr+wc+i:O3PN
Score10/10-
WSHRAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-