wshrat | 4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c | Triage

Submit
Reports

Overview

overview

Static

static

GOE-6.508.pdf.js

windows7_x64

GOE-6.508.pdf.js

windows10-2004_x64

Sharing

General

Target

GOE-6.508.pdf.js
Size

1.5MB
Sample

220201-s4rqjaghaq
MD5

a35a17d6d986737f8d13c2e7896175b4
SHA1

ec1631b83df832f28b20c86b629e0c2862b3334c
SHA256

4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c
SHA512

81c8e1d2b857973c752f524fa8461c91fb50ffa33b33d8617fcc326d386c69d2e3b94555651e4f304d98ef2aae2a5a180fcc31b156cbe07e0eb37777c93f2b53

Score

10^/10

wshrat link pdf persistence suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

GOE-6.508.pdf.js

Resource

win7-en-20211208

wshrat link pdf persistence suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

GOE-6.508.pdf.js

Resource

win10v2004-en-20220112

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

wshrat

C2

http://111.90.149.115:5200

Targets

- Target
  
  GOE-6.508.pdf.js
- Size
  
  1.5MB
- MD5
  
  a35a17d6d986737f8d13c2e7896175b4
- SHA1
  
  ec1631b83df832f28b20c86b629e0c2862b3334c
- SHA256
  
  4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c
- SHA512
  
  81c8e1d2b857973c752f524fa8461c91fb50ffa33b33d8617fcc326d386c69d2e3b94555651e4f304d98ef2aae2a5a180fcc31b156cbe07e0eb37777c93f2b53
Score

10^/10

wshrat link pdf persistence suricata trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- WSHRAT Payload
- suricata: ET MALWARE WSHRAT CnC Checkin
  suricata: ET MALWARE WSHRAT CnC Checkin
  suricata
- suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
  suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
  suricata
- suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
  suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

wshratlinkpdfpersistencesuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy