Overview

overview

10

Static

static

3

6b262e3cfe...fb.exe

windows7-x64

10

6b262e3cfe...fb.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6b262e3cfe7e64378337669bbdf768fb.exe

  • Size

    607KB

  • Sample

    230929-nwqq2sbf37

  • MD5

    6b262e3cfe7e64378337669bbdf768fb

  • SHA1

    6f2c63adcdda5114299344058464016be1a87c70

  • SHA256

    577b3a152ddc9d6558ad1b38ef6da89257229adf06d298ea025048a6d5d2fcea

  • SHA512

    36e39838c5cd75ff3f14a8d46cfcd9e3ebe12d9c9f35e9fdb6337a3e947d51e383c6800a34a76aab7b9fafd57032110f601c85acf7d19bf381b4e58a13e8363c

  • SSDEEP

    12288:dh1Lk70TnvjcZsqnY9LH8Vaxc07BK9GGjcCUfHP2kuGZiCKAzDN/ELq:Zk70TrcZr3ycKNubUfHDFkCK8h/1

Score
10/10
wshratpersistencetrojan

Malware Config

Targets

    • Target

      6b262e3cfe7e64378337669bbdf768fb.exe

    • Size

      607KB

    • MD5

      6b262e3cfe7e64378337669bbdf768fb

    • SHA1

      6f2c63adcdda5114299344058464016be1a87c70

    • SHA256

      577b3a152ddc9d6558ad1b38ef6da89257229adf06d298ea025048a6d5d2fcea

    • SHA512

      36e39838c5cd75ff3f14a8d46cfcd9e3ebe12d9c9f35e9fdb6337a3e947d51e383c6800a34a76aab7b9fafd57032110f601c85acf7d19bf381b4e58a13e8363c

    • SSDEEP

      12288:dh1Lk70TnvjcZsqnY9LH8Vaxc07BK9GGjcCUfHP2kuGZiCKAzDN/ELq:Zk70TrcZr3ycKNubUfHDFkCK8h/1

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WSHRAT payload

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks