wshrat | 21d1b6a68906c9062a548838de678dc76f763bb8300ae753e352716dcdd9be7b | Triage

Sharing

General

Target

Tax-Returns-Of-R58-765.js
Size

1.0MB
Sample

231023-ppc22sae87
MD5

aa4bb1e4cfe615e1890c18959f0f6fe6
SHA1

00fead3c49c16e409139630f011a00f2254adb9e
SHA256

21d1b6a68906c9062a548838de678dc76f763bb8300ae753e352716dcdd9be7b
SHA512

39489bbad7b8bbf59082531800bd78e2fce2475508addc0ddc43b17073500250bebc8491acaaff2e72b0fe364d52bde6ed81a9e338a53c9ff3b78962937040f3
SSDEEP

1536:MQ65yrQXApr8K8Y898K8Y8y3CAnuCLkxN013iog2jUS0XS0PH6Z86iLvXg0AnhPd:MQqEY1jbMYBX9h34FC/

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.ns01.info:3609

Targets

- Target
  
  Tax-Returns-Of-R58-765.js
- Size
  
  1.0MB
- MD5
  
  aa4bb1e4cfe615e1890c18959f0f6fe6
- SHA1
  
  00fead3c49c16e409139630f011a00f2254adb9e
- SHA256
  
  21d1b6a68906c9062a548838de678dc76f763bb8300ae753e352716dcdd9be7b
- SHA512
  
  39489bbad7b8bbf59082531800bd78e2fce2475508addc0ddc43b17073500250bebc8491acaaff2e72b0fe364d52bde6ed81a9e338a53c9ff3b78962937040f3
- SSDEEP
  
  1536:MQ65yrQXApr8K8Y898K8Y8y3CAnuCLkxN013iog2jUS0XS0PH6Z86iLvXg0AnhPd:MQqEY1jbMYBX9h34FC/
Score

10^/10

wshrat trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2