General
-
Target
57679766d792132497921ab478f7802f3599a8d19a9c4190045e3a139e9f2c52.js
-
Size
2.1MB
-
Sample
240504-bn62vahe7z
-
MD5
40d85b56e7392f84a265c3e43209112c
-
SHA1
c10e1c1c487f84dbb2cf5089f473529114a89859
-
SHA256
57679766d792132497921ab478f7802f3599a8d19a9c4190045e3a139e9f2c52
-
SHA512
203709c65208887bdc78bc02d366ee48a04b90e7e701876416a04b98b12e01e18e5468ddb69ff018ea52816b9e4eae0787bc024cc550d2d35271191829ae7690
-
SSDEEP
49152:gZknKnkiP2Kkaq4ePu3SomhEvQZuqCniSZae2h6ifBUw5LWrVRRNb/YopQESU3oW:w
Malware Config
Extracted
wshrat
http://masterokrwh.duckdns.org:8426
Targets
-
-
Target
57679766d792132497921ab478f7802f3599a8d19a9c4190045e3a139e9f2c52.js
-
Size
2.1MB
-
MD5
40d85b56e7392f84a265c3e43209112c
-
SHA1
c10e1c1c487f84dbb2cf5089f473529114a89859
-
SHA256
57679766d792132497921ab478f7802f3599a8d19a9c4190045e3a139e9f2c52
-
SHA512
203709c65208887bdc78bc02d366ee48a04b90e7e701876416a04b98b12e01e18e5468ddb69ff018ea52816b9e4eae0787bc024cc550d2d35271191829ae7690
-
SSDEEP
49152:gZknKnkiP2Kkaq4ePu3SomhEvQZuqCniSZae2h6ifBUw5LWrVRRNb/YopQESU3oW:w
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-