wshrat

Resubmissions

01-05-2024 18:33

240501-w7fn8aff45 10

01-05-2024 18:30

240501-w5ts3adc6s 6

01-05-2024 18:18

240501-wxwbxsda71 6

Sharing

Copy URL

Twitter E-mail

General

Target

Pending_Invoice_Bank_Details.html
Size

10KB
Sample

240501-w7fn8aff45
MD5

0def2826514ff6887d5a2a6cc7db4b5b
SHA1

b6c964e67855f076e90fe5c339b02fa2fe423ddd
SHA256

9eb2dc6ae95f6631e25eb8679a25eb330f1a7c463d3ccf31c53a6daa1346f007
SHA512

cdfc1c5039bf03430d112109813915c89d6dd05592fc0b9a0e3d80e157ad7b404f55d0a1aaed2d1be1ffcdc1fb1c5513949ec713b9d22046cf9ca3de4f85d50a
SSDEEP

192:/TO8OGVCARwH8izhrnV9fxRQdjSecSc6i0bKVC:/TBCARwcizhrnV9fxRQxSecStbKVC

Score

10^/10

Malware Config

Extracted

Family

wshrat

http://masterokrwh.duckdns.org:8426

Targets

- Target
  
  Pending_Invoice_Bank_Details.html
- Size
  
  10KB
- MD5
  
  0def2826514ff6887d5a2a6cc7db4b5b
- SHA1
  
  b6c964e67855f076e90fe5c339b02fa2fe423ddd
- SHA256
  
  9eb2dc6ae95f6631e25eb8679a25eb330f1a7c463d3ccf31c53a6daa1346f007
- SHA512
  
  cdfc1c5039bf03430d112109813915c89d6dd05592fc0b9a0e3d80e157ad7b404f55d0a1aaed2d1be1ffcdc1fb1c5513949ec713b9d22046cf9ca3de4f85d50a
- SSDEEP
  
  192:/TO8OGVCARwH8izhrnV9fxRQdjSecSc6i0bKVC:/TBCARwcizhrnV9fxRQxSecStbKVC
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2