Malware Analysis Report

2024-10-23 22:01

Sample ID 230718-lne88sab9t
Target e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469
SHA256 e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469
Tags
guloader wshrat downloader persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469

Threat Level: Known bad

The file e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469 was found to be: Known bad.

Malicious Activity Summary

guloader wshrat downloader persistence trojan

WSHRAT

Guloader,Cloudeye

WSHRAT payload

Blocklisted process makes network request

Downloads MZ/PE file

Drops startup file

Loads dropped DLL

Checks QEMU agent file

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-18 09:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-18 09:40

Reported

2023-07-18 09:43

Platform

win10-20230703-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe"

Signatures

Guloader,Cloudeye

downloader guloader

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XcJBL.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XcJBL.vbs C:\Windows\SysWOW64\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WSH01.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\XcJBL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\XcJBL.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XcJBL = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\XcJBL.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 356 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
PID 356 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
PID 356 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
PID 356 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe
PID 4364 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe C:\Users\Admin\AppData\Local\Temp\WSH01.exe
PID 4364 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe C:\Users\Admin\AppData\Local\Temp\WSH01.exe
PID 4364 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe C:\Users\Admin\AppData\Local\Temp\WSH01.exe
PID 616 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\WSH01.exe C:\Windows\SysWOW64\wscript.exe
PID 616 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\WSH01.exe C:\Windows\SysWOW64\wscript.exe
PID 616 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\WSH01.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe

"C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe"

C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe

"C:\Users\Admin\AppData\Local\Temp\e0e89acf0231414faae852330d13f6bafcc6c1ef66f3fdf08d5ee82363977469.exe"

C:\Users\Admin\AppData\Local\Temp\WSH01.exe

"C:\Users\Admin\AppData\Local\Temp\WSH01.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\XcJBL.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trascolad.ru.com udp
GB 185.221.216.133:443 trascolad.ru.com tcp
US 8.8.8.8:53 133.216.221.185.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 139.228.2.23.in-addr.arpa udp
US 8.8.8.8:53 astatech-cn.com udp
GB 185.38.151.11:80 astatech-cn.com tcp
US 8.8.8.8:53 11.151.38.185.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 131.222.90.45.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsq88AA.tmp\System.dll

MD5 8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 223bef1f19e644a610a0877d01eadc9e28299509
SHA256 f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512 d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

\Users\Admin\AppData\Local\Temp\nsq88AA.tmp\System.dll

MD5 8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 223bef1f19e644a610a0877d01eadc9e28299509
SHA256 f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512 d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

\Users\Admin\AppData\Local\Temp\nsq88AA.tmp\System.dll

MD5 8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 223bef1f19e644a610a0877d01eadc9e28299509
SHA256 f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512 d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

memory/356-129-0x00000000030B0000-0x0000000004AA7000-memory.dmp

memory/356-130-0x00000000030B0000-0x0000000004AA7000-memory.dmp

memory/356-131-0x00007FFF14E30000-0x00007FFF1500B000-memory.dmp

memory/356-132-0x0000000077381000-0x0000000077494000-memory.dmp

memory/356-133-0x0000000010000000-0x0000000010006000-memory.dmp

memory/4364-134-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-136-0x0000000001790000-0x0000000003187000-memory.dmp

memory/4364-137-0x00007FFF14E30000-0x00007FFF1500B000-memory.dmp

memory/4364-138-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-139-0x0000000001790000-0x0000000003187000-memory.dmp

memory/4364-140-0x0000000077406000-0x0000000077407000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WSH01.exe

MD5 dcc686cb21dfa32e9de87a6d8e7456fb
SHA1 00d1b251532dcb72ac2053df95342402f5694478
SHA256 bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29
SHA512 a39320b0c28581ac7fd37ccdd11ed00143ef421d397bde698a5cfd9955ff0ca2153a73bb69b001699db23c19cd9fd941007e9234a13ee510f67a9ccd602d24f3

C:\Users\Admin\AppData\Local\Temp\WSH01.exe

MD5 dcc686cb21dfa32e9de87a6d8e7456fb
SHA1 00d1b251532dcb72ac2053df95342402f5694478
SHA256 bfffba7e6f2b39c8c465c75738d3393bffa25873f0ce255183deada13c04fe29
SHA512 a39320b0c28581ac7fd37ccdd11ed00143ef421d397bde698a5cfd9955ff0ca2153a73bb69b001699db23c19cd9fd941007e9234a13ee510f67a9ccd602d24f3

memory/4364-151-0x0000000000400000-0x0000000001783000-memory.dmp

memory/616-152-0x00000000001A0000-0x000000000022A000-memory.dmp

memory/616-154-0x00000000703D0000-0x0000000070ABE000-memory.dmp

memory/4364-155-0x0000000001790000-0x0000000003187000-memory.dmp

memory/4364-158-0x0000000000400000-0x0000000001783000-memory.dmp

memory/616-159-0x00000000703D0000-0x0000000070ABE000-memory.dmp

memory/4364-161-0x0000000000400000-0x0000000001783000-memory.dmp

C:\Users\Admin\AppData\Roaming\XcJBL.vbs

MD5 c437bda2e3045d21e7300dd3bb844cbb
SHA1 89fda9b463529b2309b8e1bd859f0cdeb2a8203f
SHA256 418839201445990cb7a747fe696d8b8377dcbef9378989c639d2c5a23da3d7fa
SHA512 d3de6c2cc4093478c65fa2a889b92d9a2ea3c6cc85edb5bd3b861bde2114fec2892236a41331998ea2bf48dd4b367d84d77cc46022e6d9cf7d30e90d09edecb8

memory/4364-163-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-162-0x0000000001790000-0x0000000003187000-memory.dmp

memory/4364-164-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-165-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-166-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-167-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-169-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-170-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-171-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-172-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-173-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-174-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-175-0x0000000077381000-0x0000000077494000-memory.dmp

memory/4364-176-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-177-0x00000000339B0000-0x0000000033CD0000-memory.dmp

memory/4364-187-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-189-0x0000000000400000-0x0000000001783000-memory.dmp

memory/4364-191-0x0000000000400000-0x0000000001783000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XcJBL.vbs

MD5 c437bda2e3045d21e7300dd3bb844cbb
SHA1 89fda9b463529b2309b8e1bd859f0cdeb2a8203f
SHA256 418839201445990cb7a747fe696d8b8377dcbef9378989c639d2c5a23da3d7fa
SHA512 d3de6c2cc4093478c65fa2a889b92d9a2ea3c6cc85edb5bd3b861bde2114fec2892236a41331998ea2bf48dd4b367d84d77cc46022e6d9cf7d30e90d09edecb8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TKY5VT23\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3