Overview

overview

10

Static

static

1

Documento.PDF.js

windows7-x64

10

Documento.PDF.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2752495580a979c88438dcc38907c3b8

  • Size

    84KB

  • Sample

    231231-elrqxshba9

  • MD5

    2752495580a979c88438dcc38907c3b8

  • SHA1

    d13add65fdee9c2b86925ed112d73685011e463b

  • SHA256

    5e97f6fda0b360ee80bbf174a7fd063a3916c577d3e98d4b05024ef3dd304c51

  • SHA512

    cd0ecb8db07389a11cc4f676f0972e4160acfa0f54bc25b432ffefdd5a84b1afd7d1709d4193f20f8916ea5af74feb644fbb94f6786add1ef243b14a6e2e7b51

  • SSDEEP

    1536:FqBSRhkwJsEh0Z+5YVUqXdcamTFwABKte6EVLY8Kif/2j4K9iKfL/CMZPUDLnVY:FYSRhzJu3HtcRFwOKtKLYIWsK9iK/U1Y

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://trabajovalle2019.duckdns.org:2040

Targets

    • Target

      Documento.PDF.js

    • Size

      673KB

    • MD5

      6cfadcba2b7a883a4466a8def0e2b446

    • SHA1

      f2680fb39456133b5e034a8642d32c0682ee5f1f

    • SHA256

      85e41bab0ec97c8110d96123d9c0d0c3431dbe4b388f5695baf5221e9d736718

    • SHA512

      d0ca442e9b56a4cad02d51320d63c193c54c7ee1c9aa6146a0ca099d31cebacf70878142cc140244b38b58122f6da577888310ce236cb3db142b2550eeedaa64

    • SSDEEP

      1536:lRxRZ4C5xLSYmOL0hQr8uz3PdkLjNrHBbNHSNL9UL5KT6nsQjkB:h3PdkLjNrhbNHSNLEsYE

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks