wshrat | 9ff895ca38e2eb401146ca815c8e1cc91bf4dde21e069dbe41603aed7cb5f0bd | Triage

Sharing

General

Target

a4876007d9afb92163ed9933656eacbd.bin
Size

9KB
Sample

230310-b46e9abc25
MD5

7b837d9432449b24d0df1f363d4148bb
SHA1

a30cc438ec563a6a941c50affb0beda398017e26
SHA256

9ff895ca38e2eb401146ca815c8e1cc91bf4dde21e069dbe41603aed7cb5f0bd
SHA512

53dd09d91462427b27da7a6736c904f70442c78ed1eab0af7f76852c417e9e98be4fcc7fe4dd2d0a219b8addb3bded844708fb4dca4eb8305db934f83a609a03
SSDEEP

192:jB1JUFcbRdfG25dshtX7liTFO/4zufozqtrDMcNI0IUlqJ9N:vJycbV5dsjXETFOwzuwqtXBNvjlGP

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  a58c4155a01aab820977ec8d2880edc9408b320f54ec7089db79e50da1b525a7.vbs
- Size
  
  267KB
- MD5
  
  a4876007d9afb92163ed9933656eacbd
- SHA1
  
  8eafbf2887bb39ac089c95b50bf34fd27b7ee36f
- SHA256
  
  a58c4155a01aab820977ec8d2880edc9408b320f54ec7089db79e50da1b525a7
- SHA512
  
  8db4e28e3e1718416c1a3dfe7d461efd429345621f30bfe2f3b67532e2c26833a53b57a89cd4b3587488bf017926076b12b92ec15e1868babe5ded766cfa335c
- SSDEEP
  
  768:NGiZmuiZO+YlWGNOHGxOrBr/kXiFs6d3f9GdsGd+9dP1EC4SV5BW:l
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan