Overview

overview

10

Static

static

1

019e983d91...258.js

windows7-x64

10

019e983d91...258.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0b7c8b483dbe9dd80dcfc2efc2fe3595.bin

  • Size

    159KB

  • Sample

    240504-bc6xpscb77

  • MD5

    bfae4b576f919267c885282c1bf690e8

  • SHA1

    d31804781fc0cd65d5f2b36c1b1125bb2ce403ba

  • SHA256

    ba6e9387e0532f28f102888be55c228f62286e7cf5aa4f69ed5827940d72ec41

  • SHA512

    7a388f904fe1b291faeee5f16d061207f17e2bdef7b65e8dfe6fa0786906a67c93195994c8ed3b80388f5619be48efc5fc62c44e0adb1527e583419b45f658e8

  • SSDEEP

    3072:xsor9VTvAeckGiS+ZF2FzkfEL+C6tLyDQmJZyX5mKYL48nK9r2l/qVHremI:xHVTvAecNiSQfVlDmJZyX5sL4uK9rc/p

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://masterokrwh.duckdns.org:8426

Targets

    • Target

      019e983d91ef29bce54e750ec620a7e63418f34c9a393f3f44e11cbfa39c2258.js

    • Size

      615KB

    • MD5

      0b7c8b483dbe9dd80dcfc2efc2fe3595

    • SHA1

      097e1054b08e5b6e454def018a04e865fb02874c

    • SHA256

      019e983d91ef29bce54e750ec620a7e63418f34c9a393f3f44e11cbfa39c2258

    • SHA512

      118be8d4c92581e3f51330eebfd5e7c5549e21b5d466d68799ddd6e7dc47b82e08f1924fabb7f049e0739da6f079983f4a2b87ab2957dc260b4763362406a321

    • SSDEEP

      12288:rYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMt:rYeIrWr/qRigAyX/kngXFbjTLvaH28nQ

    Score
    10/10
    wshratexecutionpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks