Overview

overview

10

Static

static

1

Purchase_Order.vbs

windows7-x64

10

Purchase_Order.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8D32AF363E9F3720668195F73C5B0F439E77B695AD282EFB6BB63B60FF5AED5C

  • Size

    8KB

  • Sample

    230518-cefzqshb72

  • MD5

    fc71f33de4f4f7c693135b16c7c67fe6

  • SHA1

    a7556c943778d0531a924e11814e87bb04e415cd

  • SHA256

    8d32af363e9f3720668195f73c5b0f439e77b695ad282efb6bb63b60ff5aed5c

  • SHA512

    e806f88a857e2f3ed1e03b12b88c63a03b4daba3817337854ecb24426a1ca70b5a4a6756892ee993bc63853207550bba4ff95496db6b854de9642a57f74d37b9

  • SSDEEP

    192:VYoQvL4gIn+l0ywGCihKSuT3D8hGDrooK+Xzw3:V5ycgcfyoMK7DvW

Score
10/10
wshratpersistencetrojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      Purchase_Order.vbs

    • Size

      260KB

    • MD5

      2ff3bce5c3e24a9a66ed42b49c3da68d

    • SHA1

      ca5506d9d30e0690d3cc023fafd524e09145ae83

    • SHA256

      7287f5e59370b51b2fa62b837ef11e5b7c37703151227c2fee01feaf04836fce

    • SHA512

      675956065410bc169900d5b2f7e5cc93c3499c222e3bb4cf83a578413a66fb9fdc0dad3f0af2a8fcefddcf178d6709f8e6efedea8a4bd6e25337026172706b85

    • SSDEEP

      768:Uwh+I+2b4WelZTvQYeXbxbYvEl2C9v0s0kdj57L3bK:Uwq7

    Score
    10/10
    wshratpersistencetrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks