Overview

overview

10

Static

static

1

60413aef50...928.js

windows7-x64

10

60413aef50...928.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928.js

  • Size

    1.1MB

  • Sample

    240503-b3m8aaea44

  • MD5

    45ece63fd62550c00c23129d45acc6ae

  • SHA1

    428b9734401dbb1c71cbe84894be3ac54f7f8f0f

  • SHA256

    60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928

  • SHA512

    35a97ce1eb9765d3f306b3478e6607889aa5130239cd85a351c81c94caf964a765db5f455c7777641996fb7f422980689be63ef3593a68c79ee275d2a7dc3935

  • SSDEEP

    24576:xnM9UoHmc6UHyDnk8VYJH2GLvXHLmhWeWJxuLiYZZNJIMmXL/MbiHmKA63OuQFfP:xnmTGCS48ZorOWe6jeZNJIpXjMbiHmKk

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Targets

    • Target

      60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928.js

    • Size

      1.1MB

    • MD5

      45ece63fd62550c00c23129d45acc6ae

    • SHA1

      428b9734401dbb1c71cbe84894be3ac54f7f8f0f

    • SHA256

      60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928

    • SHA512

      35a97ce1eb9765d3f306b3478e6607889aa5130239cd85a351c81c94caf964a765db5f455c7777641996fb7f422980689be63ef3593a68c79ee275d2a7dc3935

    • SSDEEP

      24576:xnM9UoHmc6UHyDnk8VYJH2GLvXHLmhWeWJxuLiYZZNJIMmXL/MbiHmKA63OuQFfP:xnmTGCS48ZorOWe6jeZNJIpXjMbiHmKk

    Score
    10/10
    wshratexecutionpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.