wshrat | 036e0c2001c52903733dfd1fe241ab8e1ea2d0156d034ba0ab70d3efe0a887d5 | Triage

Sharing

General

Target

Scan0030.xz
Size

223KB
Sample

230508-qhv5qace9w
MD5

dc1ffaeea8c45bfb0dc6515aec5775f1
SHA1

0ac410c505e0e1f9efca6af34922d7d7b6e85d37
SHA256

036e0c2001c52903733dfd1fe241ab8e1ea2d0156d034ba0ab70d3efe0a887d5
SHA512

69099f5b4d759dd0c02384d818b08ccf5091514bffc6220990c4e0013a160e583fe9c83d7facdd2b64a2a39e8b883e4afc7bfa09803753a87a475cc6fc49408c
SSDEEP

6144:EWIHlqIKbZCq/DPB/8BKyKEvvy744e7TdnlOqKv:EWfZbXxTyVvA44ehlbKv

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.125:7121

Targets

- Target
  
  Scan0030.js
- Size
  
  898KB
- MD5
  
  b2b05e1631db082866c8f9d38cddf403
- SHA1
  
  3f19e69b66bf8c50993b55e5744818e3e92d4156
- SHA256
  
  c7805522f881cfa27c3cc92917f28da0f770d1e4ffe5aa170751058553da73ed
- SHA512
  
  7b7f6ab57bb555e07bd39e21e1470ea73c2dc4c1fa97bc1bbfb3361f8f2659d503a445a90e4125556a2ceba4236f83a077961340c435db0e070a91f6269d4c56
- SSDEEP
  
  6144:ROD297zg2plJPacQwE6hkpA0LysIfFk9jvCsYS9H17d9qFPNL6Z4MnJHI9Q6NCwU:+LP
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan