wshrat | c6db55b7e77e4d381d218b591bdc86db1e92355acb7be82d77042d87dada63b0 | Triage

Sharing

General

Target

e759742e2878b202f658cb2d8984e120.bin
Size

8KB
Sample

230322-cglyrsec87
MD5

b0cd9014adfe3072756d7f7568363ef3
SHA1

a059106c68570d1c820330a51bd38503f8c23345
SHA256

c6db55b7e77e4d381d218b591bdc86db1e92355acb7be82d77042d87dada63b0
SHA512

1865f6a2ff6bf686e4019ab0c7f61d95062521669372c746c018bf2fb3c62cea33a209d6d87020ed5a57c13bb680f6143525eb63089b8ce39f2e6b903abef0b6
SSDEEP

192:hG7gKhDdaZnFcvS1S8HPFdWghfcEFmY0eGJOJ4UjNPhYVCD+A3uBmK:LKhD8ZnG0/3h5FbrG8J4UjsQ+wK

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  ORDER_230320.pdf.vbs
- Size
  
  267KB
- MD5
  
  a4876007d9afb92163ed9933656eacbd
- SHA1
  
  8eafbf2887bb39ac089c95b50bf34fd27b7ee36f
- SHA256
  
  a58c4155a01aab820977ec8d2880edc9408b320f54ec7089db79e50da1b525a7
- SHA512
  
  8db4e28e3e1718416c1a3dfe7d461efd429345621f30bfe2f3b67532e2c26833a53b57a89cd4b3587488bf017926076b12b92ec15e1868babe5ded766cfa335c
- SSDEEP
  
  768:NGiZmuiZO+YlWGNOHGxOrBr/kXiFs6d3f9GdsGd+9dP1EC4SV5BW:l
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan