wshrat | ba1a738798423e40a68ace116d390c7aca541a4b6472c9139ab27d4af38710b9 | Triage

Submit
Reports

Overview

overview

Static

static

3

ba1a738798...JC.exe

windows7-x64

ba1a738798...JC.exe

windows10-2004-x64

Sharing

General

Target

ba1a738798423e40a68ace116d390c7aca541a4b6472c9139ab27d4af38710b9_JC.exe
Size

2.1MB
Sample

231010-z95ynsbh8y
MD5

b6de2a88ddd8a054aa19818d7f0f7e5f
SHA1

26157de03c6c6c50b57f553a925e263064c101d1
SHA256

ba1a738798423e40a68ace116d390c7aca541a4b6472c9139ab27d4af38710b9
SHA512

9378ca26fef0fcbb0ca0ed6509a7a7673ae8c4064bd9156aa0be8d841292aa4b84a161a898abb438c73ed338503fa78f52d9703ec63a41e7dcc7066249e9b577
SSDEEP

49152:PkQTAhZM75sl9vhRFsmtkljB6chL58q/mJzhc+EbmOZt:PaLMVsPfFntkljB646q/mJmh

Score

10^/10

wshrat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ba1a738798423e40a68ace116d390c7aca541a4b6472c9139ab27d4af38710b9_JC.exe

Resource

win7-20230831-en

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

ba1a738798423e40a68ace116d390c7aca541a4b6472c9139ab27d4af38710b9_JC.exe

Resource

win10v2004-20230915-en

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  ba1a738798423e40a68ace116d390c7aca541a4b6472c9139ab27d4af38710b9_JC.exe
- Size
  
  2.1MB
- MD5
  
  b6de2a88ddd8a054aa19818d7f0f7e5f
- SHA1
  
  26157de03c6c6c50b57f553a925e263064c101d1
- SHA256
  
  ba1a738798423e40a68ace116d390c7aca541a4b6472c9139ab27d4af38710b9
- SHA512
  
  9378ca26fef0fcbb0ca0ed6509a7a7673ae8c4064bd9156aa0be8d841292aa4b84a161a898abb438c73ed338503fa78f52d9703ec63a41e7dcc7066249e9b577
- SSDEEP
  
  49152:PkQTAhZM75sl9vhRFsmtkljB6chL58q/mJzhc+EbmOZt:PaLMVsPfFntkljB646q/mJmh
Score

10^/10

wshrat trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- WSHRAT payload
- Blocklisted process makes network request
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2025

Terms | Privacy