wshrat | 59ce78d979aca8457c92a37f6a93f81836af751bae9339d47359891fafebbbbc | Triage

Sharing

General

Target

a58c4155a01aab820977ec8d2880edc9408b320f54ec7089db79e50da1b525a7.zip
Size

9KB
Sample

230321-r5xshabe74
MD5

f8dea368d987c0fc08aca0b6614cac21
SHA1

c21f95e00c44b13beaa1603310e67531371f18b7
SHA256

59ce78d979aca8457c92a37f6a93f81836af751bae9339d47359891fafebbbbc
SHA512

dc4a990ede6c0c8b5949ffcacdad647bcb24db390f35eaa21e94c20f3aac8153ebd7d435b2365d266dd7f5b3c9960f0bae01d318954b085179eaa2c177aa356b
SSDEEP

192:fzIHQ9Vfsw7ObgsQltCum0hLtXodbmNcE5Iw1653tvmaC:+iZsw7vsGsh0hZXodKcu16d5maC

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  a58c4155a01aab820977ec8d2880edc9408b320f54ec7089db79e50da1b525a7.vbs
- Size
  
  267KB
- MD5
  
  a4876007d9afb92163ed9933656eacbd
- SHA1
  
  8eafbf2887bb39ac089c95b50bf34fd27b7ee36f
- SHA256
  
  a58c4155a01aab820977ec8d2880edc9408b320f54ec7089db79e50da1b525a7
- SHA512
  
  8db4e28e3e1718416c1a3dfe7d461efd429345621f30bfe2f3b67532e2c26833a53b57a89cd4b3587488bf017926076b12b92ec15e1868babe5ded766cfa335c
- SSDEEP
  
  768:NGiZmuiZO+YlWGNOHGxOrBr/kXiFs6d3f9GdsGd+9dP1EC4SV5BW:l
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan