General
-
Target
Request For Quotation(RFQ).js
-
Size
946KB
-
Sample
230810-rsca2ade76
-
MD5
70ebc4c266527efd8a70e6ff259d0ce1
-
SHA1
44209fe366081d1a1191f7b7dbfd27f34e23d755
-
SHA256
284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
-
SHA512
72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d
-
SSDEEP
6144:QQ7Eqk/qylpe5u9cyON5Q5iOG7xKMBjEZcqjIfgSPyDlLnMC31I1lvERmcfbqPo5:TGF
Malware Config
Extracted
wshrat
http://harold.2waky.com:3609
Targets
-
-
Target
Request For Quotation(RFQ).js
-
Size
946KB
-
MD5
70ebc4c266527efd8a70e6ff259d0ce1
-
SHA1
44209fe366081d1a1191f7b7dbfd27f34e23d755
-
SHA256
284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
-
SHA512
72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d
-
SSDEEP
6144:QQ7Eqk/qylpe5u9cyON5Q5iOG7xKMBjEZcqjIfgSPyDlLnMC31I1lvERmcfbqPo5:TGF
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-