wshrat | a64102ad5032310cb854cd6f68255cbfa61173ef90f88c399ba10a0b15523e18 | Triage

Sharing

General

Target

ORDER-234468.doc.vbs
Size

193KB
Sample

230516-m9p61ahe4s
MD5

57ebbe2e997dbfea17030286f8993cb4
SHA1

c5b7745fd561933d84c68b18fff5a131726034cd
SHA256

a64102ad5032310cb854cd6f68255cbfa61173ef90f88c399ba10a0b15523e18
SHA512

7451907e7192da0a09ea9989b4438ad600b760d7af465735a305f20a88c78209000dd1f3bf3b5c99e2e8781dfbf4d75aac9f4ac9897be9c47e6b18e3bf27826d
SSDEEP

384:TxmlmlWimcfU4pbuyerHazSVrxXNX8ZW7/z7X9rlPl0X5mu1uEK9y4VKthVf7JDe:a

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  ORDER-234468.doc.vbs
- Size
  
  193KB
- MD5
  
  57ebbe2e997dbfea17030286f8993cb4
- SHA1
  
  c5b7745fd561933d84c68b18fff5a131726034cd
- SHA256
  
  a64102ad5032310cb854cd6f68255cbfa61173ef90f88c399ba10a0b15523e18
- SHA512
  
  7451907e7192da0a09ea9989b4438ad600b760d7af465735a305f20a88c78209000dd1f3bf3b5c99e2e8781dfbf4d75aac9f4ac9897be9c47e6b18e3bf27826d
- SSDEEP
  
  384:TxmlmlWimcfU4pbuyerHazSVrxXNX8ZW7/z7X9rlPl0X5mu1uEK9y4VKthVf7JDe:a
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

wshratpersistencetrojan