wshrat | 48b52babdbbc6826bdf0824b0025bb726d9c94441eaa31cdc2fa421f861deedb | Triage

Sharing

General

Target

315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d.zip
Size

9KB
Sample

230502-y8y83aeb9t
MD5

b4922ac7c48e92e0e02f997c9a171ff1
SHA1

28e9ad620500023e3b40c72273433637a6ede16a
SHA256

48b52babdbbc6826bdf0824b0025bb726d9c94441eaa31cdc2fa421f861deedb
SHA512

41c52699d40cce8e6d1ea77d3f4275056214f9479668fce25d8be78d07b8d9153cb34acf0d6d62a60ff4e17ffc8171149b8cb37e064c43f5ef4fccbdd2573040
SSDEEP

192:+PzO2KM4zMGJPRS9M5PZoAKGTUEiXqcZNRDcjJTRsXTv:+wzzMBEhoAKG0qILD2GXTv

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d.vbs
- Size
  
  289KB
- MD5
  
  ba07223a894931526fd69b0c2b21221d
- SHA1
  
  d7b63bb26abca39ef9c5ececa1a7bee5aa68cd15
- SHA256
  
  315061606e655e66db6ed9fa5bcbbac33e645c36da0a5730717973b8e323eb0d
- SHA512
  
  49611e025ccaa2f79072b3a1ab53b7d3fce2c61602ab6dc03dcf2fe9af862bdcdc35c9a3475c8a89ce99cadc89c20495730c048bd23248d644dee54b9a252799
- SSDEEP
  
  384:d7QL+L0YoyzODjxosdoKF5vT8b8Qq6Pu7r7eOFDl7k7EDFh+2O0i99RVz8Jm0Jp1:4
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan