General
-
Target
433febbbc8e5d0eeed7b3aaa9ad15558.bin
-
Size
4KB
-
Sample
240325-b3sg1ace48
-
MD5
f4fa194db60ee550290ceb7e0027b046
-
SHA1
cb1351ce75518f8414e701bcc72cb5c92b6dd16e
-
SHA256
70485d4f6c3c72f2cb5df9b62858652cc9e87751fed8bad111383a12e09747bf
-
SHA512
09f591fe272eda765e4bf328f5a35d4803264cbd4fd6b8c34f2aac7c757bf8c905ca5deb29bf892d50c90d60eb3a67bf79149bfa977f8698819cd2e6e9bbeee5
-
SSDEEP
96:mMN+FmdGZ4z+FGsZp+DPBbWiqwDBRK94NFUmBSEpsZZeEND31xJW:v+L4CFGxbpD6YFI8gzNrfs
Malware Config
Extracted
wshrat
http://paulrdp02.duckdns.org:1604
Targets
-
-
Target
25b4135b1c971889bcf7b36da063ea24025e2a67e22b3dd84ebb8f556b75823e.vbs
-
Size
19KB
-
MD5
433febbbc8e5d0eeed7b3aaa9ad15558
-
SHA1
83905f45e2c6977f35e7db522052295d739fd667
-
SHA256
25b4135b1c971889bcf7b36da063ea24025e2a67e22b3dd84ebb8f556b75823e
-
SHA512
6cae2f6e7b86052af6f812e815128f67ce76f44e56b9bfdb5e4fa0ce2fba5610deb830334162b330e5e494bece380d1f7e053f6f89eac398d48fe49cbb3626ec
-
SSDEEP
384:vKNssJiGagRYwZSFFOECXCghDStXdTX2XXXiXs31TNWE/cJ1:vq9agRYwZSGECXCgM7rGHqc1IE/m
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-