wshrat | af225710834945af83a66163ffe1549d64c624d5d95f527fdd7eced708497fc4 | Triage

Sharing

General

Target

Purchase_Order.zip
Size

17KB
Sample

230524-szd9msdf3w
MD5

1bef35cf12a2859bcd244bac90c4ffe7
SHA1

66a201eebfa893f0a550082173be0a45532ce624
SHA256

af225710834945af83a66163ffe1549d64c624d5d95f527fdd7eced708497fc4
SHA512

0e557acd68162585f83fa81ad6c7f64e4d03cc722f0222ba147d80b239f0ce80c2868de39118232fc049a6f4f2c6942aa0c75f5d07c98614a188e96026aadfaf
SSDEEP

384:OVw9OlmwwcsGhWgPhkCy+H5dlQWCVw2WDIUjMh40kN+V6Gb:OzlmwwccgO4dllC+2WDIUjMh40B6G

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  Purchase_Order.xls.vbs
- Size
  
  527KB
- MD5
  
  8faf36edfae1ec0e8eccd3c562c03903
- SHA1
  
  0c44c3c6291c67c4eae6e1f8238f098adaee1a32
- SHA256
  
  1c546a6548beda639640ebfbb52abd5f6013c33500172cfccf0e8716c96bb196
- SHA512
  
  a54ea5e74c1320259b23d43e2eaadf83cf0705306df6dd1ba4bd4e9d77889d04449aa5161ad33165814a8b0f7baf41567537b721a048222f655216d1efdca56b
- SSDEEP
  
  384:Lu1hvWiWMmkNULg4viK3Ai44MXziJGUSJ0Pw6qVskjhj6Zxc6Xx0f3+hFx+gItIL:cvO
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan