wshrat | 2b4d9736707fe7481f7ecfa29db3ae062f61452308d8f6f352cb970fa243fadf | Triage

Sharing

General

Target

26dd4d56ebc911f4088bff1a4ba6d90d.bin
Size

9KB
Sample

230408-bm61fsdc61
MD5

28c31c7c25a91eca3152fe86526cba9c
SHA1

73b7b9eccc1a5606a3155b35b6658b0c04f628ae
SHA256

2b4d9736707fe7481f7ecfa29db3ae062f61452308d8f6f352cb970fa243fadf
SHA512

a78ebf40307bfb6da30e6edf0cbe0fb4374b92c888a31145def5e2334cfb6ec7ceab62fb12d1be9f1738e559272d6298521ecf5b029af5e7b4f7fabb82b7a4d3
SSDEEP

192:zkhsU+xV+i3EhdW/15q+UG4IKs3ETAqcX8M2RBuOh/:pxV+5I1PHKLaMM2B/

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  a3d0cbb2060021757f2514e9f190b1ac4d7d0ec79bc91351ed7a794ba05cab0a.unknown
- Size
  
  271KB
- MD5
  
  26dd4d56ebc911f4088bff1a4ba6d90d
- SHA1
  
  81be8f4ad3eb8061da6722a8e69c4ca67c0c1a66
- SHA256
  
  a3d0cbb2060021757f2514e9f190b1ac4d7d0ec79bc91351ed7a794ba05cab0a
- SHA512
  
  2cb54bd272b2238a2168828e69c39e0c9ed9017690f08130927a71aa89e638419cce3d63e8e582ec151414c8c6bc94a56b2d5e937a56df182914e8ac6e0b3f59
- SSDEEP
  
  768:DQsieR2wEfnsuuhjdVex8HWqHBACAaDHfj5BjW:wl
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan