wshrat | a71299692434556a06c5bc37082b91bf7736311070556390fa34cedcd44cd976 | Triage

Sharing

General

Target

ORDER231804List.pdf.arj
Size

7KB
Sample

230507-k6hxeade35
MD5

fd287d81dda92b5cd5b92fd19b5a7c9d
SHA1

02ed3360d4c4cd54834c251807589a52ff8eabba
SHA256

a71299692434556a06c5bc37082b91bf7736311070556390fa34cedcd44cd976
SHA512

8c551522eba86a0a8ce0253f3f601540e4524e0e7be3b48b98484a27d11ad36ac517210c3b853b36a016cd6af39996d9342c80374cb20d774b9772e85a569efa
SSDEEP

192:S13J00XveSNx3u1AQLrGV7PioGaBmujbheMo80P+KWT/:oJjNx3uTLCdixsjrz0mL

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  ORDER_231804_List.vbs
- Size
  
  249KB
- MD5
  
  6afc65fd8742615b1505ec80ed3b40f6
- SHA1
  
  5731e7270d31672ba15f038271d16da68d56e148
- SHA256
  
  173136a6c173363068e7d7d16907f7fa38ec0d717dff663057304ee54adde4d7
- SHA512
  
  74c54092827e8f9e386381c64a8639b8d58a4e42fc608fad2687a127e5395de99c99f543f760e40029f830daa63faf49ecc9847476d0514eaaa825605cc52e25
- SSDEEP
  
  768:se4mo/QE6/2eWU6c25NXZ1kSEHSTYeB/AiAkpjXnd/NC:Td2tHuSg
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan