wshrat | 5ad4d5fb75a277e31b05e1a6f19c5fc3c007b5c2be03109d876ca457173a135a | Triage

Sharing

General

Target

wpp.vbs
Size

257KB
Sample

230819-yn4caade6v
MD5

d87d4c42c10f332a96aa10ffb455f49d
SHA1

c6167ce4e59f14ce826a50e8d32847101e5e9dc8
SHA256

5ad4d5fb75a277e31b05e1a6f19c5fc3c007b5c2be03109d876ca457173a135a
SHA512

d01c7072b7f9e85dbc8f160f0afc17116a5ec5039a1f07a9201d517d8029acc8f31b446ccd66f832eb5ea58c3e88db88b2e442c7965e0318af32852512c3aa8a
SSDEEP

384:GWbSLcLgOioL0XHys4KJPlTkXZ64SAzu7t7Q0TDh7O74DJxWO0K6dBjcOXoxAFuR:GZ8BcmuMwg4

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  wpp.vbs
- Size
  
  257KB
- MD5
  
  d87d4c42c10f332a96aa10ffb455f49d
- SHA1
  
  c6167ce4e59f14ce826a50e8d32847101e5e9dc8
- SHA256
  
  5ad4d5fb75a277e31b05e1a6f19c5fc3c007b5c2be03109d876ca457173a135a
- SHA512
  
  d01c7072b7f9e85dbc8f160f0afc17116a5ec5039a1f07a9201d517d8029acc8f31b446ccd66f832eb5ea58c3e88db88b2e442c7965e0318af32852512c3aa8a
- SSDEEP
  
  384:GWbSLcLgOioL0XHys4KJPlTkXZ64SAzu7t7Q0TDh7O74DJxWO0K6dBjcOXoxAFuR:GZ8BcmuMwg4
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan