General
-
Target
1eef9f1c50a5362d4ff555b6cc5bc5df.bin
-
Size
6KB
-
Sample
231012-ncyybafb7v
-
MD5
9aa0b3598b33f4fab63befd84a471068
-
SHA1
33f1f95707db536001a3b4ec9fb6499808e118f6
-
SHA256
82dbbd2e96ffda915fb24e4c4f74155bbe535df69ec59f2255fbe2744a0235fc
-
SHA512
94d91cdb2cad268144c7f3c9a3d8414bd32ef3d8bb9991b9897bf1e45dbd1365d8e8cb51af9b09d39148446a881dd54b86a178e5a89c1ec0c56ff931d76e4159
-
SSDEEP
192:zuiz6aO5Zvw11BymaA1HLOylgo8MTOyzy5OZp7Xdg9vd//:CiuaO5ZvwrBrZNOylg3KqONQx/
Malware Config
Targets
-
-
Target
420a2c200fde9d62bc040616edd62949aec77d6e39bf864602f584792fc8e867.exe
-
Size
12KB
-
MD5
1eef9f1c50a5362d4ff555b6cc5bc5df
-
SHA1
caa4099e942052634cea6fc2866d9652f09cf546
-
SHA256
420a2c200fde9d62bc040616edd62949aec77d6e39bf864602f584792fc8e867
-
SHA512
56c41cf987ba22ddac2cac9ef10e3dbadf2abd99ca0ed3510883d532cc5d1625ce50426308b8e91bd20645e3812074b31b977976646d751621dd18a92b877218
-
SSDEEP
192:nlv0pHLdF1bvM+A4tLHwpTxHR95w0J1dZdckF+syKtieOv:d+Lxbk+A4tTyFSvsyuDO
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-