ratty

General

Target

9073eb184ea9cb5a5553ed24798073a5f50d0045e64f38a7c9166ed61bf463b8
Size

221KB
Sample

220521-pqv91sbadr
MD5

44e4a524574424dbe81694de83c56978
SHA1

b9dce4679c2a51be8e5bc649aaef642942eb4392
SHA256

9073eb184ea9cb5a5553ed24798073a5f50d0045e64f38a7c9166ed61bf463b8
SHA512

e30f168044919b4ac89ef3a1e0d63888e85b4a1a36c2a20b81ff3031e975ce5d869063dd4c516b9ddb86981bda0b7caad2312590d501968ef711ea3c6df26c74

Score

10^/10

Malware Config

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8899

Targets

- Target
  
  fattura.jar
- Size
  
  221KB
- MD5
  
  4ebaf0ed00b6136fe1e4273508d855fa
- SHA1
  
  a3e6b82b95500b8eda4ab37a8f3865d47af3c7ad
- SHA256
  
  be32a4b1ba9b1ac7803eac01ca4a38f96770ad27d2d434794809ba3242182b0d
- SHA512
  
  80c243457a0b879b0cd2484837357326593131207e200f93cd4f40a2ce5dd4c8e5590c6f67638b7942c1ca6634abc637fa9658b81791116419960deb349f49c3
Score

10^/10

ratty wshrat persistence rat suricata trojan
- Ratty
  Ratty is an open source Java Remote Access Tool.
  trojan rat ratty
- Ratty Rat Payload
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- suricata: ET MALWARE WSHRAT CnC Checkin
  suricata: ET MALWARE WSHRAT CnC Checkin
  suricata
- suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
  suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
  suricata
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Ratty Rat Payload

WSHRAT

suricata: ET MALWARE WSHRAT CnC Checkin

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2