General
-
Target
ProofOfPayment.js
-
Size
1011KB
-
Sample
240926-qtnvsazbnl
-
MD5
f9c0e7f72f05287cb2bf7209e821e1d3
-
SHA1
551298a27c615509767296f4a85448cef9d1b02a
-
SHA256
7407ae87e5b4691b5b9a99158ae3418be6aa476546abad58a024ee791d841e70
-
SHA512
7f87ad74595ac4226ea1fc605fdfedf3f945b3924a92c665e8fd34a085de5b7aeb3fb5ce5b801ae00799d3de5a27b7269757e3911b1de18c93c4a9e3b4e7ebba
-
SSDEEP
3072:HQGFKqpcN1UY+fCJPTrAIk9t4nx8nxYPt0Il+QrigNvU1Ol9IgzjgoL:HQGFKqpcN1UY+fCJrh9HjgoL
Malware Config
Extracted
wshrat
http://rolla.wikaba.com:2025
Targets
-
-
Target
ProofOfPayment.js
-
Size
1011KB
-
MD5
f9c0e7f72f05287cb2bf7209e821e1d3
-
SHA1
551298a27c615509767296f4a85448cef9d1b02a
-
SHA256
7407ae87e5b4691b5b9a99158ae3418be6aa476546abad58a024ee791d841e70
-
SHA512
7f87ad74595ac4226ea1fc605fdfedf3f945b3924a92c665e8fd34a085de5b7aeb3fb5ce5b801ae00799d3de5a27b7269757e3911b1de18c93c4a9e3b4e7ebba
-
SSDEEP
3072:HQGFKqpcN1UY+fCJPTrAIk9t4nx8nxYPt0Il+QrigNvU1Ol9IgzjgoL:HQGFKqpcN1UY+fCJrh9HjgoL
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
Blocklisted process makes network request
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-