Overview

overview

10

Static

static

1

2024 12:59:31 a.m..js

windows7-x64

10

2024 12:59:31 a.m..js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024 12:59:31 a.m..js

  • Size

    2.1MB

  • Sample

    240502-2fdcnsac74

  • MD5

    a6397cdb9e01000e53c123893acad42c

  • SHA1

    6cd4fbdf9d806e21533c546e3aca996d20a611ba

  • SHA256

    010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b

  • SHA512

    3f2dd11560d819839697a3f256a9e4dae693f7401d4b870c93d40d1c9d35449de35e7366acf1ca66d537759ff62d6a1859c906d792847074f88740a3536510a5

  • SSDEEP

    49152:DScjW/OiHYKmqYRBWiV0j79VyNBrccl3dndiGrlvU2YpLharpFL5+gzzPsg0m2Qh:/

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Targets

    • Target

      2024 12:59:31 a.m..js

    • Size

      2.1MB

    • MD5

      a6397cdb9e01000e53c123893acad42c

    • SHA1

      6cd4fbdf9d806e21533c546e3aca996d20a611ba

    • SHA256

      010095c8ca094243c44f0d489b55dc1a132e0f776ab71e6bc221ff8c127a810b

    • SHA512

      3f2dd11560d819839697a3f256a9e4dae693f7401d4b870c93d40d1c9d35449de35e7366acf1ca66d537759ff62d6a1859c906d792847074f88740a3536510a5

    • SSDEEP

      49152:DScjW/OiHYKmqYRBWiV0j79VyNBrccl3dndiGrlvU2YpLharpFL5+gzzPsg0m2Qh:/

    Score
    10/10
    wshratexecutionpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks