General
-
Target
07052024_1016_Invoice879340_Payment_09784359302_PDF.JS
-
Size
616KB
-
Sample
240507-mazw6abg9t
-
MD5
46c7528b89b7228e05f84b73f73dddbd
-
SHA1
eefac6832616c9d74432923113d6e531bc5089c6
-
SHA256
2db5dfc57b5ecd0cf2825e985507ea40dc3419b51f86794c5bd95dd8f92b3276
-
SHA512
b5fff9d4732873940fb31a2606388e17e614abae29970bce01d20ffcdbcdef8404aead2fcaef452db6621dbcac3bc813928fab8bdb56788986a4db0a56989dea
-
SSDEEP
12288:fYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMa:fYeIrWr/qRigAyX/kngXFbjTLvaH28np
Malware Config
Extracted
wshrat
http://masterokrwh.duckdns.org:8426
Targets
-
-
Target
07052024_1016_Invoice879340_Payment_09784359302_PDF.JS
-
Size
616KB
-
MD5
46c7528b89b7228e05f84b73f73dddbd
-
SHA1
eefac6832616c9d74432923113d6e531bc5089c6
-
SHA256
2db5dfc57b5ecd0cf2825e985507ea40dc3419b51f86794c5bd95dd8f92b3276
-
SHA512
b5fff9d4732873940fb31a2606388e17e614abae29970bce01d20ffcdbcdef8404aead2fcaef452db6621dbcac3bc813928fab8bdb56788986a4db0a56989dea
-
SSDEEP
12288:fYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMa:fYeIrWr/qRigAyX/kngXFbjTLvaH28np
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-