wshrat | 2bd1aae7d100fbdd561aa9274431732b7b590246a724f43e81afe35b58a95f97 | Triage

Sharing

General

Target

8ebbced4d3aebc154e8a98597e51eb05_ORDER-260123_doc.vbs
Size

195KB
Sample

230127-ta25vabh79
MD5

8ebbced4d3aebc154e8a98597e51eb05
SHA1

571f6b27b54ea33889b4171a633e62ebed6199ac
SHA256

2bd1aae7d100fbdd561aa9274431732b7b590246a724f43e81afe35b58a95f97
SHA512

b34838dceb14e7df5e5dff651cbd4aa7bef008c215fcc4269e89a5b87b83db7cfe589fa63a11dc1538146a0d09a1aec621cd85af9a4e3fbec583351c693314a6
SSDEEP

384:FzS12LoLycuEZ2npk6cyhrNTa4UjKqLU7D70OfDx7G7aD57y2OEAR3/omNQfo+nD:Fz3Ow86x

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  8ebbced4d3aebc154e8a98597e51eb05_ORDER-260123_doc.vbs
- Size
  
  195KB
- MD5
  
  8ebbced4d3aebc154e8a98597e51eb05
- SHA1
  
  571f6b27b54ea33889b4171a633e62ebed6199ac
- SHA256
  
  2bd1aae7d100fbdd561aa9274431732b7b590246a724f43e81afe35b58a95f97
- SHA512
  
  b34838dceb14e7df5e5dff651cbd4aa7bef008c215fcc4269e89a5b87b83db7cfe589fa63a11dc1538146a0d09a1aec621cd85af9a4e3fbec583351c693314a6
- SSDEEP
  
  384:FzS12LoLycuEZ2npk6cyhrNTa4UjKqLU7D70OfDx7G7aD57y2OEAR3/omNQfo+nD:Fz3Ow86x
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan