wshrat | 98a77976e106ed9d665a7856da1371dd1e6e61cda4dd076cbb6f191c2f1e9ff6 | Triage

Sharing

General

Target

Purchase_Order.vbs
Size

216KB
Sample

230325-r8yh7sdb79
MD5

286fff39c1b94a7faea3275f7d32abfd
SHA1

fc077b0bcef5f5c694cf913cd69081c5bcf23d82
SHA256

98a77976e106ed9d665a7856da1371dd1e6e61cda4dd076cbb6f191c2f1e9ff6
SHA512

e618504775f2e3a5a294a519d18868531c51822ae4377ec800ad5fb264aaa2c77bbb3e0dfbc3c5f812b6940e6e91131d1616b75239a9dd6f4c7ab4f55df3d2c3
SSDEEP

384:dQiz8VURuMLULOnskUVyxn4eyY/3TmXSqEKk1x3D82nc8OmyGD0a9Yo4V4ShBBqn:18VURFqSXgNMeST

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  Purchase_Order.vbs
- Size
  
  216KB
- MD5
  
  286fff39c1b94a7faea3275f7d32abfd
- SHA1
  
  fc077b0bcef5f5c694cf913cd69081c5bcf23d82
- SHA256
  
  98a77976e106ed9d665a7856da1371dd1e6e61cda4dd076cbb6f191c2f1e9ff6
- SHA512
  
  e618504775f2e3a5a294a519d18868531c51822ae4377ec800ad5fb264aaa2c77bbb3e0dfbc3c5f812b6940e6e91131d1616b75239a9dd6f4c7ab4f55df3d2c3
- SSDEEP
  
  384:dQiz8VURuMLULOnskUVyxn4eyY/3TmXSqEKk1x3D82nc8OmyGD0a9Yo4V4ShBBqn:18VURFqSXgNMeST
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan