General
-
Target
NEAS.NEASNEAS8dd2823b8343b3b64877355cb6b2b9f88d06b4dd586641fde317c592259b99caexeexeexe_JC.exe
-
Size
168KB
-
Sample
231013-v2f75acc9t
-
MD5
9ba2229027f01e7ae4fd53c291a2fc06
-
SHA1
381e20e13c6dbf5bd287cc616b7748c09c419c3e
-
SHA256
8dd2823b8343b3b64877355cb6b2b9f88d06b4dd586641fde317c592259b99ca
-
SHA512
98402fe6ed1c21d3cdde6f4fde79c2b540bc85773f00f811e545f77b740217a15baaa10ef56de22be4eb4b057a73af52267ec45043efedaf1f5e43d2d906f694
-
SSDEEP
3072:pDKW1LgppLRHMY0TBfJvjcTp5Xqy31QinAlSVsr:pDKW1Lgbdl0TBBvjc/jQinAk+
Malware Config
Targets
-
-
Target
NEAS.NEASNEAS8dd2823b8343b3b64877355cb6b2b9f88d06b4dd586641fde317c592259b99caexeexeexe_JC.exe
-
Size
168KB
-
MD5
9ba2229027f01e7ae4fd53c291a2fc06
-
SHA1
381e20e13c6dbf5bd287cc616b7748c09c419c3e
-
SHA256
8dd2823b8343b3b64877355cb6b2b9f88d06b4dd586641fde317c592259b99ca
-
SHA512
98402fe6ed1c21d3cdde6f4fde79c2b540bc85773f00f811e545f77b740217a15baaa10ef56de22be4eb4b057a73af52267ec45043efedaf1f5e43d2d906f694
-
SSDEEP
3072:pDKW1LgppLRHMY0TBfJvjcTp5Xqy31QinAlSVsr:pDKW1Lgbdl0TBBvjc/jQinAk+
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-