Overview

overview

10

Static

static

1

proof of payment.js

windows7-x64

10

proof of payment.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    mkpub_proof of payment.rar

  • Size

    199KB

  • Sample

    230929-hfr2aagc5s

  • MD5

    dd13af23609ea16163dd666c38656d6e

  • SHA1

    a569528e44aaf5053e1e15fd438ab8e597f63b34

  • SHA256

    6be098d11f45a26ca51124867301356d56adf5a4901f1710ae34de450d802e67

  • SHA512

    792cdcd49b0b74bbf9521a202a08030e30f82f1cb59f7676f9cd3a9ffff564c619eaa4da41246311af82bc1fbcfacb8d253ef7d11410e12a6b600c2ef593b405

  • SSDEEP

    6144:jmXXIoWK+qtbSCm78l+lrFS+b+YOw1K4W:jcyIS7PSTYOw1k

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:1604

Targets

    • Target

      proof of payment.js

    • Size

      909KB

    • MD5

      f27847fc20b30026c51e0af483b9615b

    • SHA1

      ca1efe5d18ed26eb754eea44e489139c6a99784e

    • SHA256

      85047c1d66a2f4fd7f179cf957b27ac2c8925c02d9e1ac6d2f47fd925ed85e6f

    • SHA512

      d639f9caf639f7ddc683c3d6d3baa9d5d238ab9ba2267cad015902ac31462d3b23a72d5f806a64a1b258088df5ced2d240e6f617dfbc3022ff5bebd8e482006e

    • SSDEEP

      6144:MQY6OtQp/eDJ+YQOd5NxqbQ83MJR5Sd6CLvx7IfiOiRYAZ7dFuylY4LDWnMn4Z8X:Xx

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks