wshrat | 6a119ff044fe20b93eec2073d34d84f01467e4bd23d94d15f70c9b90b701dff5 | Triage

Sharing

General

Target

ORDER-238974_LIST.pdf.ace
Size

621B
Sample

230616-fpsm3ach52
MD5

cdd32da69f6bfdf84d8ca8a0691ac2c2
SHA1

057a253d574dbb5768c6cfb2c2309bfc723a3c25
SHA256

6a119ff044fe20b93eec2073d34d84f01467e4bd23d94d15f70c9b90b701dff5
SHA512

4d71401924c0162f7846a8319c8103a58c67d0c9e81661e9ae5393f00a00786d18327d4fb96d8d545017789b8ccb5045ce58d3ce4d676537ea4bcbd97a927cde

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  ORDER-238974_LIST.pdf.vbs
- Size
  
  8KB
- MD5
  
  5c75f54e96d8ac97fa9644b0c8bac3d7
- SHA1
  
  668fef3a068cbbdf4c8fc4b81f3b81b4a671460e
- SHA256
  
  b03c3e78db7276e75dbb30b144d6dba8d417c25a59ea563c5691b5dbdc2b69e9
- SHA512
  
  d9eb586c09e3b05d6f35b20f56d4ebb3e4b80da490af0894a37d0388f406c819e66c5355297e0acbbe408b2066467e73bb801d360c8501afb975f1aaf868723a
- SSDEEP
  
  48:5AqkDUOQB6D8LD1QOFLDnw30Gwj0H6r5d3bCgDoB:IDLDuDVDdIgDe
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

wshratpersistencetrojan