wshrat | ad718edd0bead205d5c8e0dc326a5c89ca3ba177914e6d16fe03a09c5f9984f3 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

wyrecover (1).js

windows7-x64

wyrecover (1).js

windows10-2004-x64

Sharing

General

Target

wyrecover (1).js
Size

188KB
Sample

221104-vsk5qabahn
MD5

fffb69df585df4ed900ba69aef15c41e
SHA1

2e8e68b4616e28fa4d829cfe1a47e2a2006c9fb4
SHA256

ad718edd0bead205d5c8e0dc326a5c89ca3ba177914e6d16fe03a09c5f9984f3
SHA512

0494c53e766375fe4b3f56725e65743cf92835a38bf60d3095ace26b9a947dd840282de2f93d3b333dcaf3ba6fd287cf3a7219b722e8f4f92c5c8210b86b97c4
SSDEEP

3072:GZebURCmAvEzHveGK/63H5pjOjOfQ0bamXbIpklgVDSxGfmuZJR:SRChmveGKyH5pjOjOoMhAklgF2GuuZ/

Score

10^/10

wshrat persistence trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

wyrecover (1).js

Resource

win7-20220812-en

wshrat persistence trojan

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

wyrecover (1).js

Resource

win10v2004-20220901-en

wshrat persistence trojan

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

wshrat

C2

http://45.139.105.174:3670

Targets

- Target
  
  wyrecover (1).js
- Size
  
  188KB
- MD5
  
  fffb69df585df4ed900ba69aef15c41e
- SHA1
  
  2e8e68b4616e28fa4d829cfe1a47e2a2006c9fb4
- SHA256
  
  ad718edd0bead205d5c8e0dc326a5c89ca3ba177914e6d16fe03a09c5f9984f3
- SHA512
  
  0494c53e766375fe4b3f56725e65743cf92835a38bf60d3095ace26b9a947dd840282de2f93d3b333dcaf3ba6fd287cf3a7219b722e8f4f92c5c8210b86b97c4
- SSDEEP
  
  3072:GZebURCmAvEzHveGK/63H5pjOjOfQ0bamXbIpklgVDSxGfmuZJR:SRChmveGKyH5pjOjOoMhAklgF2GuuZ/
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan

© 2018-2025

Terms | Privacy