Overview

overview

10

Static

static

1

ORDER-2410...PDF.js

windows7-x64

10

ORDER-2410...PDF.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    10102024_0311_ORDER-241091799.PDF.tar

  • Size

    732B

  • Sample

    241010-dpzehawdpb

  • MD5

    5510ea8ecf0b0fb4c6127bd23539d65d

  • SHA1

    94e62ea1c6b8b95a262a88d4dc40f2db70c18b82

  • SHA256

    b6c3470de534cbaee5c02142a41970c83dce64f83922826c7a916520332d318a

  • SHA512

    af67e659ea24259109641599f9b3f079dc61f55802ffd325b0fcb00a7d448827f61501e89d5daf992f3e0988e11107b4fc00b03842832189ba8f886e8167a0d7

Score
10/10
wshratexecutionpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7044

Targets

    • Target

      ORDER-241091799.PDF.js

    • Size

      7KB

    • MD5

      e1daa8253602476d0ddd51e91e406a1a

    • SHA1

      10b0e9306019e58356a38074e609da3040da6641

    • SHA256

      4126a6f8a65fdb58a76b7af70974711560c58943c16466666cd8099ba2d117ac

    • SHA512

      70687606118a4599da950600ef7529c9c941c1ce524104512c8e3c852d1f81ab40710c1f4df6f4e3f95da01e8da9c2f35d6658f706667b55c4d4a817d32e7c3c

    • SSDEEP

      96:BmbAkRJ1vz3bYLEGU37ybeCwLHtYFCbvA:BmbAkRJ1vTbYLEGo7ybeCwLHmFCbvA

    Score
    10/10
    wshratexecutionpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks