wshrat

Sharing

Copy URL

Twitter E-mail

General

Target

A.rar
Size

3.0MB
Sample

230611-mbe85sgh69
MD5

863bc8fe5e347b71fa56b17657999ab8
SHA1

7cb8f68159647957c27f5014d295ec48468fa039
SHA256

7714602b44e30e482f50789f308caf60998c93d667ada525934f104ec4bbf8a1
SHA512

90bc5ae6e82c097fedb07edec6b5291af63459f339a9334a265a1e289a6b1acfc50080da31f92b7acac7ecdf1a48ff6b031d8d7834ca94d7ec89cb859e89cd76
SSDEEP

49152:BW6wefnsMxOIHBGGYE4hmM9GlnHbavTGYtxzJ/3h5bdiZNHYtyWssbFPx:kofnlxpHEGYE4p9GlaCYvzJ/0HKNx

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://192.168.45.161:8081/meter.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://192.168.45.161/meter.ps1

Extracted

Language

xlm4.0

Source

Targets

- Target
  
  1c1f3eaf142c53480147c6e98cea4547
- Size
  
  35KB
- MD5
  
  1c1f3eaf142c53480147c6e98cea4547
- SHA1
  
  92fbb5db21194832b830e4f5c44449c582138b50
- SHA256
  
  42e299adf74331dc51950a2e0195d4f3230170358b362463cb1f113bc5755e6e
- SHA512
  
  9a3a8bce2902a5be9c26bff283968161aca0237162f30a129c97fc65b9f52aa1cb724310ff9767967e1a6e360bf36432448df0e0fd542bdc0ab2477e254de540
- SSDEEP
  
  384:A8iSUR/8det0Vyw/v+2iUP0jDeT1Jtl/+qTQ:i/quCTiy4eFU
Score

10^/10

wshrat persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- WSHRAT payload
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  23e8349880dde570473345c8b6ba8d94
- Size
  
  75KB
- MD5
  
  23e8349880dde570473345c8b6ba8d94
- SHA1
  
  f496de8c8c54962429d53b59113470f7f20c82e3
- SHA256
  
  a410b38594d20a9d7a66ea9f6c9838fd21d9916a27a999d13a82f52b456aba28
- SHA512
  
  22018ecf84017431d9872235786ccb86d373f254b87badf7af86d0b70bce86af4f646a567888f17a2ab7722088e3e628e5d1f3175247d7a5a6358930375ef9d7
- SSDEEP
  
  768:IXtnj8DgCxoXWfsJ3sWafL2zY7mTNxMS+twHDIxz99tIUt:IXd8HxoX13shfyzEmTp+aHDI3
Score

4^/10
behavioral3 behavioral4
- Target
  
  5568d72be1bdebf9187261a24b3b324f
- Size
  
  22KB
- MD5
  
  5568d72be1bdebf9187261a24b3b324f
- SHA1
  
  3729b13695a975366e1604e4fe31226591793823
- SHA256
  
  2d9d77b0ab2b6c17fb16a1ce244f5d26fe9e688f6d7ee071fef18bee8e510737
- SHA512
  
  a9befbe909487c68dd0d074066d3731db71985242fcb91a044f2410114372266b117b04ff71a51374f5cbda9842c2489197aebc3df102562e48eb408fe7f4389
- SSDEEP
  
  384:oVzIiSXPf8dizrcdDbUVOwGAnbmbAecFekbKWVmNrxQ8khE1pE/a:G8iDiEdDgxmADekbKW8rky1p3
Score

1^/10
behavioral5 behavioral6
- Target
  
  b8eedd013827b960eee4c0ae07ae5513
- Size
  
  351KB
- MD5
  
  b8eedd013827b960eee4c0ae07ae5513
- SHA1
  
  7c8a8f64ff3367238e1d963d090a99c33677f011
- SHA256
  
  8cfa170eb8271b0dc1e27b6792400161b0b8ab7ac49f4a88017bbcfe588d2d1f
- SHA512
  
  78fcabd81473f8d51699a8e97e00e5cdfe107fbb3f8c3da3ceac6cf994d71fd280b5d24292947d293621c62adda0031fdc86dc609a75a237572b2203d237d7c0
- SSDEEP
  
  6144:lW7fmlEskwkftlYoqDQX+++eUnG1Cg2KyS6g6ixSXprHMqy:lW7OKskwMlED+UnG1f2KySciMXprFy
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral7 behavioral8
- Target
  
  bcdf20e65445ed6bda794d958025e417
- Size
  
  16KB
- MD5
  
  bcdf20e65445ed6bda794d958025e417
- SHA1
  
  6f3f1523627525c8efbb5bfe3e2f612d96801bef
- SHA256
  
  332221ec47c7a4dd0296890e05e5c6647993dd1efdb139151e914e7cf22f9e65
- SHA512
  
  9769842c9899b9ed2804a4390c40484908813035ca47f7b7ed6a7021337a91701b9daf9efb6ff94730d0b91f45fdd53631b3ac16e5cf1525008bedcfb5ac6210
- SSDEEP
  
  384:/iutorSBqsqFxtJsUvWNxt/ZtNNkvJWObKo1nldRN:/XsUyFDJsUv8xllNkvPbKo1fD
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral10 behavioral9
- Target
  
  c82717259c368b69cb64572e74042c02
- Size
  
  16KB
- MD5
  
  c82717259c368b69cb64572e74042c02
- SHA1
  
  2fc0ceb46caa5529bf3c7bce4c11793e1bfa45d3
- SHA256
  
  5636b00a5c350d5f80d7654e256302f5c58b0d899fa800e8ff47ceb30b796732
- SHA512
  
  af326ce518d9ec7a474cec903048e99d05608bfc4fe4966924c046773e43b6d5375742670fd241113e5f838710cb3595080e7cd6b61adec51d23f9f82b9f70e6
- SSDEEP
  
  384:/iutbydI+IQLQDZaNxt/ZtNNsstAWObKo1n9EA:/XEIKCGxllNsstobKo19z
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral11 behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

WSHRAT payload

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Process spawned unexpected child process

Process spawned unexpected child process

Process spawned unexpected child process

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12