wshrat | 8d32af363e9f3720668195f73c5b0f439e77b695ad282efb6bb63b60ff5aed5c | Triage

Sharing

General

Target

8D32AF363E9F3720668195F73C5B0F439E77B695AD282EFB6BB63B60FF5AED5C
Size

8KB
Sample

230518-cefzqshb72
MD5

fc71f33de4f4f7c693135b16c7c67fe6
SHA1

a7556c943778d0531a924e11814e87bb04e415cd
SHA256

8d32af363e9f3720668195f73c5b0f439e77b695ad282efb6bb63b60ff5aed5c
SHA512

e806f88a857e2f3ed1e03b12b88c63a03b4daba3817337854ecb24426a1ca70b5a4a6756892ee993bc63853207550bba4ff95496db6b854de9642a57f74d37b9
SSDEEP

192:VYoQvL4gIn+l0ywGCihKSuT3D8hGDrooK+Xzw3:V5ycgcfyoMK7DvW

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  Purchase_Order.vbs
- Size
  
  260KB
- MD5
  
  2ff3bce5c3e24a9a66ed42b49c3da68d
- SHA1
  
  ca5506d9d30e0690d3cc023fafd524e09145ae83
- SHA256
  
  7287f5e59370b51b2fa62b837ef11e5b7c37703151227c2fee01feaf04836fce
- SHA512
  
  675956065410bc169900d5b2f7e5cc93c3499c222e3bb4cf83a578413a66fb9fdc0dad3f0af2a8fcefddcf178d6709f8e6efedea8a4bd6e25337026172706b85
- SSDEEP
  
  768:Uwh+I+2b4WelZTvQYeXbxbYvEl2C9v0s0kdj57L3bK:Uwq7
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan