wshrat | a90a264f0536addcea90db6def755d53df5324d82d1d92f88134cc0c24360ffb | Triage

Sharing

General

Target

a98ac00dca5a70a34f6a194f777fcbd73d47e655ede61ece25fa113242b5341b
Size

733B
Sample

230614-tdwr8sba45
MD5

bf516853f7562ff20ac17be2db2f4295
SHA1

ce3b48d07e030e2d876fe15f4455aa0c2ceb886e
SHA256

a90a264f0536addcea90db6def755d53df5324d82d1d92f88134cc0c24360ffb
SHA512

2fce581503947041f31f82e59ac84848b34204215145e8ea287caf25303fbbd4e48030e0821f48567738bf1d4a0d8263d17db4221d31df15256e2ebadd84df7c

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  ORDER-23023A_pdf.js
- Size
  
  7KB
- MD5
  
  933b4514edd326ee6e30c96cd77d82f9
- SHA1
  
  6d5cb6a10bb6483f6ceaa704b7ec96afa505ba10
- SHA256
  
  7322460676a315a08fd2e0a2d3dc6c9d25225fca29d1aa21428bc38354cbbcbe
- SHA512
  
  551613e20d98d59b1f9d225c57351717094c32a6f47fd8d994863e0e7e834d8e419dfaa41bf80dc7e229102f3b6bcd58cf41bb03562279a20fa689192444822f
- SSDEEP
  
  96:EPq4bVViLK3Zo7PjEA914wVViC8a4fEVUcx3GNwqEq4S2VViyKLoyrV9RdACUNVL:5jbLLgDzj/KK8AhbhxnC+dTO
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

wshratpersistencetrojan