wshrat | ca8c51adb24f855f6e92f107ccb4b782081661d8a5288b08bf4fd5911ae02585 | Triage

Sharing

General

Target

ORDER-230770.pdf.vbs
Size

273KB
Sample

230301-xvxyeahg74
MD5

a82190a1aa4c07cf23e80083694ae1fd
SHA1

d62b8414e9872584c1498584b68b61e5a0e4dd26
SHA256

ca8c51adb24f855f6e92f107ccb4b782081661d8a5288b08bf4fd5911ae02585
SHA512

6b594b492aac69dfe0e2ff352b9ce131293bb4acdf7a9391200d1da8bd378f241160510da03cb53e1551a240dd90a1e773c9f35064b9cf5cd70dd4bc82b2f01f
SSDEEP

384:B3gLoLuSIMHELTMbseb4jxvTuh0I6EJG7T7EYXDL787OD3Hk2YeE1dDvJuVGKrhh:r/i

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  ORDER-230770.pdf.vbs
- Size
  
  273KB
- MD5
  
  a82190a1aa4c07cf23e80083694ae1fd
- SHA1
  
  d62b8414e9872584c1498584b68b61e5a0e4dd26
- SHA256
  
  ca8c51adb24f855f6e92f107ccb4b782081661d8a5288b08bf4fd5911ae02585
- SHA512
  
  6b594b492aac69dfe0e2ff352b9ce131293bb4acdf7a9391200d1da8bd378f241160510da03cb53e1551a240dd90a1e773c9f35064b9cf5cd70dd4bc82b2f01f
- SSDEEP
  
  384:B3gLoLuSIMHELTMbseb4jxvTuh0I6EJG7T7EYXDL787OD3Hk2YeE1dDvJuVGKrhh:r/i
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan