wshrat | 4d88ae29c1596311d3af9d226e386732fcc7c201f20cfbc8bf39f2bba6ba4aae | Triage

Sharing

General

Target

b66938f8b8ab81aef4aceeea87bbe7b5.bin
Size

821B
Sample

230606-b5k6pscb5w
MD5

dbdb7a8be2cb58f7088a8282fa99a513
SHA1

a8acc8bcac69bee7ece73625cfd08091175c0e4f
SHA256

4d88ae29c1596311d3af9d226e386732fcc7c201f20cfbc8bf39f2bba6ba4aae
SHA512

a8b74a12342bc4ca505320b1fdeef3150873e0aabf30e16379589a3244768e7987b55f09291a208653f249a073bd091769723a3af8f89d93aebcf8ccdeaaedaf

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  5a6374adb1371c63cace395445818f4b83dcdd2494da86062b0ab3cbfb201e0b.vbs
- Size
  
  9KB
- MD5
  
  b66938f8b8ab81aef4aceeea87bbe7b5
- SHA1
  
  2f140f44c2f74ecff2e24dcb0b3fbd72080e090a
- SHA256
  
  5a6374adb1371c63cace395445818f4b83dcdd2494da86062b0ab3cbfb201e0b
- SHA512
  
  0f449d44022e9abec453180dae1f25e06fb538359c6cc52f3eb6efafb9b339f293f733284c73ac2b793fac97aee92df01eeed524c361ac0f7c35664a97dfd0bc
- SSDEEP
  
  48:bnlrCVFFIlV2rVboysaqbwYHppKZ2I0wiin5I2c1YleGE/+:jlrCnFSmzs/3IKin5I2c1Yle9m
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

wshratpersistencetrojan