wshrat | 64271b2cc7849f1e9ea9d881f6014af70db7800dd86397437342b11ac6ed9d64 | Triage

Sharing

General

Target

ORDER-230217A.vbs
Size

198KB
Sample

230218-kc2sesbe89
MD5

cabfb532b1a74b86c6e2bda9d2085079
SHA1

076889ea3c5850677c67fad271028d717c21a37e
SHA256

64271b2cc7849f1e9ea9d881f6014af70db7800dd86397437342b11ac6ed9d64
SHA512

44e3024f159cd82f0b6886e51a2aed74613315f06a8d15e9a21c4e2e7967048d4c0b29f6ce431d64cc4b42bb8b9410a4afbb495c283fff136744a479f8397fd2
SSDEEP

384:g0EW3eLEL8Og4Rw1BMUsQ9JT2dR02zqB7L7cKF5B7A7MR9+0Kg0Bhpt7wp2k5V+0:g0ET1Epbhuh5mQBnF

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  ORDER-230217A.vbs
- Size
  
  198KB
- MD5
  
  cabfb532b1a74b86c6e2bda9d2085079
- SHA1
  
  076889ea3c5850677c67fad271028d717c21a37e
- SHA256
  
  64271b2cc7849f1e9ea9d881f6014af70db7800dd86397437342b11ac6ed9d64
- SHA512
  
  44e3024f159cd82f0b6886e51a2aed74613315f06a8d15e9a21c4e2e7967048d4c0b29f6ce431d64cc4b42bb8b9410a4afbb495c283fff136744a479f8397fd2
- SSDEEP
  
  384:g0EW3eLEL8Og4Rw1BMUsQ9JT2dR02zqB7L7cKF5B7A7MR9+0Kg0Bhpt7wp2k5V+0:g0ET1Epbhuh5mQBnF
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan