Overview

overview

10

Static

static

1

2024 83529 p.m..js

windows7-x64

10

2024 83529 p.m..js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024 83529 p.m..js

  • Size

    830KB

  • Sample

    240503-xyr7bsge42

  • MD5

    3f2a1c1daacef7c9dc6f69c5362c9928

  • SHA1

    3ce5d81226174c6c048313b9702fec63491eb339

  • SHA256

    0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c

  • SHA512

    d325873f1fd3bf4393ce60329451874b2a7543c5c3068fd0427030f761f20f9e8539fed72ff24155cfc6d7d609a997c1ceb91cc643a79732c0a2bf97c731eee9

  • SSDEEP

    24576:hKDnslywYmw3SkKNuhf+0s3S3PnukeZauv/k5IgPZ5i:hKbstYmw3SNwhm0CSfgauvmLi

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Targets

    • Target

      2024 83529 p.m..js

    • Size

      830KB

    • MD5

      3f2a1c1daacef7c9dc6f69c5362c9928

    • SHA1

      3ce5d81226174c6c048313b9702fec63491eb339

    • SHA256

      0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c

    • SHA512

      d325873f1fd3bf4393ce60329451874b2a7543c5c3068fd0427030f761f20f9e8539fed72ff24155cfc6d7d609a997c1ceb91cc643a79732c0a2bf97c731eee9

    • SSDEEP

      24576:hKDnslywYmw3SkKNuhf+0s3S3PnukeZauv/k5IgPZ5i:hKbstYmw3SNwhm0CSfgauvmLi

    Score
    10/10
    wshratexecutionpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks