wshrat | 582ea24cd2052b74375774919a7e1f0de80e4bf9884234b26cb417502c1d2a74 | Triage

Sharing

General

Target

7fc3ab727001bb3f552bee872b7c90a7.bin
Size

208KB
Sample

230527-btd81saa56
MD5

a110f30318f89013d461a1d3c5ce95c1
SHA1

773d9050732c3c2337a3fcc7288090a902dff626
SHA256

582ea24cd2052b74375774919a7e1f0de80e4bf9884234b26cb417502c1d2a74
SHA512

93d6b99d5f90ea7c74a184310298a9abe8514981c327879781e69e15ed99c2de377f728cb61cdec5604187d41fa3e3a0ccf127d292696f15a1f57df820f21331
SSDEEP

3072:GYUq2GG4y/SQyG7yo3/8lywT6qrFB3kTVVy58ke7oFd61H0Eh7YpeM/xYzbjUzcy:GnVaQ7yW8VT0RVy54iEV/QeyW3fOzfpJ

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Targets

- Target
  
  6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a.js
- Size
  
  899KB
- MD5
  
  7fc3ab727001bb3f552bee872b7c90a7
- SHA1
  
  f0fa0bdb338ecb45308bc83718559265077b9a86
- SHA256
  
  6ce2e7208cceb1b481306e5ccd7e8a8622567926cb3e8cdf442a4e2b94d8d97a
- SHA512
  
  13711dca473fc99c572273189531d45d037858c7fb2406c5457e9244aec2c15bd3cf20c6307fe10606a2b1ce3af911d06390f71c93f44f554fdf19f4c82ec24a
- SSDEEP
  
  6144:QQ5r1A7G9u13eV4pO5SolqKCvOZYuHYKq/ofQZvN0+QPJkh3dqYB2r8YOdchB1VF:TJ
Score

10^/10

wshrat trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2