wshrat | e1755cf3f8f189cb93bffdb04f0263d07718e0c5827fc45dfe5227df64fd67b3 | Triage

Sharing

General

Target

64271b2cc7849f1e9ea9d881f6014af70db7800dd86397437342b11ac6ed9d64.zip
Size

8KB
Sample

230321-r5xgqsbe72
MD5

9e757ca98e35e87f778be6be58383468
SHA1

0b528753ace08e92591dec6fc746b0f330dc58ef
SHA256

e1755cf3f8f189cb93bffdb04f0263d07718e0c5827fc45dfe5227df64fd67b3
SHA512

80611009a4e6b75c713ac18b5414a3bcb208d4f057bae0de88a3a7af68a640a899e1d28074c905e97e5c9f74f00b69ad00b9d6c0e98dc66caba2636d0f45d0d1
SSDEEP

192:2KTF+Mp9Nc1iequlNYd+gRcAoy/NHnrw4IygQyv5RMpB1xq:h+MsienlNxgRroy1Hrw4IygVRwnc

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  64271b2cc7849f1e9ea9d881f6014af70db7800dd86397437342b11ac6ed9d64.vbs
- Size
  
  198KB
- MD5
  
  cabfb532b1a74b86c6e2bda9d2085079
- SHA1
  
  076889ea3c5850677c67fad271028d717c21a37e
- SHA256
  
  64271b2cc7849f1e9ea9d881f6014af70db7800dd86397437342b11ac6ed9d64
- SHA512
  
  44e3024f159cd82f0b6886e51a2aed74613315f06a8d15e9a21c4e2e7967048d4c0b29f6ce431d64cc4b42bb8b9410a4afbb495c283fff136744a479f8397fd2
- SSDEEP
  
  384:g0EW3eLEL8Og4Rw1BMUsQ9JT2dR02zqB7L7cKF5B7A7MR9+0Kg0Bhpt7wp2k5V+0:g0ET1Epbhuh5mQBnF
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan