wshrat | a296d00447ab6ebd54fb78afdeab1605246b0913130b870571ccaf7ae0117033 | Triage

Sharing

General

Target

PO230317_COPY.vbs
Size

206KB
Sample

230317-kv19lsfc59
MD5

77a541634d4f73b6b242bdecd53c1231
SHA1

e5d9ae28229954bb0097e057a45f957913ac163f
SHA256

a296d00447ab6ebd54fb78afdeab1605246b0913130b870571ccaf7ae0117033
SHA512

ddb659c6ff0df990146ee5af48421161e15ab28c331ebc26bca5537859e390234d6f299e9d4f5a1513ef0c988042ef4c315f0a9e2dd5503f5c26f29827770e7d
SSDEEP

768:DMYP16f3e2+DCn6F4jTF9aieJHRzzFaKE/x0hGmVxYAYe3BH7LFHY:IYQngUKS

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  PO230317_COPY.vbs
- Size
  
  206KB
- MD5
  
  77a541634d4f73b6b242bdecd53c1231
- SHA1
  
  e5d9ae28229954bb0097e057a45f957913ac163f
- SHA256
  
  a296d00447ab6ebd54fb78afdeab1605246b0913130b870571ccaf7ae0117033
- SHA512
  
  ddb659c6ff0df990146ee5af48421161e15ab28c331ebc26bca5537859e390234d6f299e9d4f5a1513ef0c988042ef4c315f0a9e2dd5503f5c26f29827770e7d
- SSDEEP
  
  768:DMYP16f3e2+DCn6F4jTF9aieJHRzzFaKE/x0hGmVxYAYe3BH7LFHY:IYQngUKS
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan