General
-
Target
cf72d509b3534e6ea44e8f27e8e24af6
-
Size
734KB
-
Sample
240317-al1avahg75
-
MD5
cf72d509b3534e6ea44e8f27e8e24af6
-
SHA1
8088b36b5a9c6308bdeb11c01d8ff0fbe72b2702
-
SHA256
1717e15dfe01d566d9e4880e4a4ccfdf7d2096d859e91cc1b8062afb61074060
-
SHA512
da92da83857ce77b1d5a275c2be557cba140cb653cb2d15d66d5dfe53adbcaf0cf3eeab814ac54732ed4b5a09bbbf6e3272cfb33b2510f079ba6ff1505989129
-
SSDEEP
12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aCM+PKSXrEh6O6:uRmJkcoQricOIQxiZY1iaCMYKSDO6
Malware Config
Targets
-
-
Target
cf72d509b3534e6ea44e8f27e8e24af6
-
Size
734KB
-
MD5
cf72d509b3534e6ea44e8f27e8e24af6
-
SHA1
8088b36b5a9c6308bdeb11c01d8ff0fbe72b2702
-
SHA256
1717e15dfe01d566d9e4880e4a4ccfdf7d2096d859e91cc1b8062afb61074060
-
SHA512
da92da83857ce77b1d5a275c2be557cba140cb653cb2d15d66d5dfe53adbcaf0cf3eeab814ac54732ed4b5a09bbbf6e3272cfb33b2510f079ba6ff1505989129
-
SSDEEP
12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aCM+PKSXrEh6O6:uRmJkcoQricOIQxiZY1iaCMYKSDO6
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-