wshrat | 6f4e16acaab16780b1ec03d549053980c05966b17b02d4b836240358f283ae57 | Triage

Sharing

General

Target

ORDER_230323.vbs
Size

237KB
Sample

230323-sdb76agd94
MD5

ad09b8c1e47b162243c8e6cfeb030ab6
SHA1

1777b8cb69f2984f55aa913282c16dc2aa0590ee
SHA256

6f4e16acaab16780b1ec03d549053980c05966b17b02d4b836240358f283ae57
SHA512

a3bedaee5151042318aed2b8fe97908ab259703ddf878e6c70fae20177907b7cac33673a8a96926d38aa749c4e2053ea25154ff50b02ee6e2836758346cd2bfc
SSDEEP

768:BMq8WDyk6tuYFiPYfiVXbniXs1YmV3hSmS6VBtLZJX+:S

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  ORDER_230323.vbs
- Size
  
  237KB
- MD5
  
  ad09b8c1e47b162243c8e6cfeb030ab6
- SHA1
  
  1777b8cb69f2984f55aa913282c16dc2aa0590ee
- SHA256
  
  6f4e16acaab16780b1ec03d549053980c05966b17b02d4b836240358f283ae57
- SHA512
  
  a3bedaee5151042318aed2b8fe97908ab259703ddf878e6c70fae20177907b7cac33673a8a96926d38aa749c4e2053ea25154ff50b02ee6e2836758346cd2bfc
- SSDEEP
  
  768:BMq8WDyk6tuYFiPYfiVXbniXs1YmV3hSmS6VBtLZJX+:S
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan