General
-
Target
62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe
-
Size
1.6MB
-
Sample
241122-z4cpyayrh1
-
MD5
de9603fb21ef4f79df4f0447c8a302e5
-
SHA1
1525867c63fa3d4de01161d5a362b429b3eba6cd
-
SHA256
62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645
-
SHA512
5d8981224ca6b51c0cfe615c1ec5a0f4aa74bc1d52654aa1b191eddd8cb6def25971b1a74052f9d9bafcd37893f23be97b2d512e0cab47413d8780e17ce1db96
-
SSDEEP
24576:5AOcZ1svEiDery6uC+7CzDZS7ske7Cx38CJfyESnSUA6WftHb5pO0i0buNTbeUKI:zJEiyhz1S7ZsHEcSUA6WN3O31eb6ThZx
Malware Config
Targets
-
-
Target
62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645.exe
-
Size
1.6MB
-
MD5
de9603fb21ef4f79df4f0447c8a302e5
-
SHA1
1525867c63fa3d4de01161d5a362b429b3eba6cd
-
SHA256
62a67c42c309613f6bdd8dca730e8a03d2ad7067d89c57b5a980da1e37e33645
-
SHA512
5d8981224ca6b51c0cfe615c1ec5a0f4aa74bc1d52654aa1b191eddd8cb6def25971b1a74052f9d9bafcd37893f23be97b2d512e0cab47413d8780e17ce1db96
-
SSDEEP
24576:5AOcZ1svEiDery6uC+7CzDZS7ske7Cx38CJfyESnSUA6WftHb5pO0i0buNTbeUKI:zJEiyhz1S7ZsHEcSUA6WN3O31eb6ThZx
Score10/10-
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
-
WSHRAT payload
-
Wshrat family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-