Overview

overview

10

Static

static

3

bb1a60d48e...f2.exe

windows7-x64

10

bb1a60d48e...f2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2

  • Size

    2.0MB

  • Sample

    231012-qerywsbc5v

  • MD5

    263d8628ff6e9c99318da99bb42007f4

  • SHA1

    c0450285843855e54b2b5aa7ee8d1a2f524218e9

  • SHA256

    bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2

  • SHA512

    93d6a334ea62a876bab4c2c904b515fae2de919f9d5813123fbf38a02e76f02f026528d8db031e01baa525edad242683a689418eab8d3f8aab489d55c45b8114

  • SSDEEP

    1536:waXjwDPE6yzTBMfT9/8n+NwRw7ySsgWNybmXfaKHFjyRcf7tZ4G5tJJmmrvf/Fco:NYPFyzTBMfw+N/Zs/N4ovsWZ93co

Score
10/10
wshrattrojan

Malware Config

Targets

    • Target

      bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2

    • Size

      2.0MB

    • MD5

      263d8628ff6e9c99318da99bb42007f4

    • SHA1

      c0450285843855e54b2b5aa7ee8d1a2f524218e9

    • SHA256

      bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2

    • SHA512

      93d6a334ea62a876bab4c2c904b515fae2de919f9d5813123fbf38a02e76f02f026528d8db031e01baa525edad242683a689418eab8d3f8aab489d55c45b8114

    • SSDEEP

      1536:waXjwDPE6yzTBMfT9/8n+NwRw7ySsgWNybmXfaKHFjyRcf7tZ4G5tJJmmrvf/Fco:NYPFyzTBMfw+N/Zs/N4ovsWZ93co

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • WSHRAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks