wshrat | 30d07a517dd533db174117c6d59cc0931ba9c4e413984906a6f1ac644850482a | Triage

Sharing

General

Target

fc71f33de4f4f7c693135b16c7c67fe6.bin
Size

8KB
Sample

230411-b9hldahh35
MD5

921b985ffbe124ad26b6ddf029e7e38e
SHA1

d780dae45a7672fc7c14301dabc03b208ded755f
SHA256

30d07a517dd533db174117c6d59cc0931ba9c4e413984906a6f1ac644850482a
SHA512

f9d0928fd1f66e8f2925436a3ad1628e7c95a2756d7c96c07bf08ed670d81635ced9c8de3730cc902dde2116f537a5b6b1c0361a064c0e2efec37ef1b28a6fed
SSDEEP

192:lzI8BEU+uRX/ttpYIRoB+N98zFGQ7dzWhhtqscArpWbNRSIY:lzI8uFuRX/zWoNv8zFX7dgFFWBY

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  Purchase_Order.vbs
- Size
  
  260KB
- MD5
  
  2ff3bce5c3e24a9a66ed42b49c3da68d
- SHA1
  
  ca5506d9d30e0690d3cc023fafd524e09145ae83
- SHA256
  
  7287f5e59370b51b2fa62b837ef11e5b7c37703151227c2fee01feaf04836fce
- SHA512
  
  675956065410bc169900d5b2f7e5cc93c3499c222e3bb4cf83a578413a66fb9fdc0dad3f0af2a8fcefddcf178d6709f8e6efedea8a4bd6e25337026172706b85
- SSDEEP
  
  768:Uwh+I+2b4WelZTvQYeXbxbYvEl2C9v0s0kdj57L3bK:Uwq7
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan