wshrat | 1c546a6548beda639640ebfbb52abd5f6013c33500172cfccf0e8716c96bb196 | Triage

Sharing

General

Target

230507-k7njaafd9x
Size

527KB
Sample

240924-t3whrstbjn
MD5

8faf36edfae1ec0e8eccd3c562c03903
SHA1

0c44c3c6291c67c4eae6e1f8238f098adaee1a32
SHA256

1c546a6548beda639640ebfbb52abd5f6013c33500172cfccf0e8716c96bb196
SHA512

a54ea5e74c1320259b23d43e2eaadf83cf0705306df6dd1ba4bd4e9d77889d04449aa5161ad33165814a8b0f7baf41567537b721a048222f655216d1efdca56b
SSDEEP

384:Lu1hvWiWMmkNULg4viK3Ai44MXziJGUSJ0Pw6qVskjhj6Zxc6Xx0f3+hFx+gItIL:cvO

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  230507-k7njaafd9x
- Size
  
  527KB
- MD5
  
  8faf36edfae1ec0e8eccd3c562c03903
- SHA1
  
  0c44c3c6291c67c4eae6e1f8238f098adaee1a32
- SHA256
  
  1c546a6548beda639640ebfbb52abd5f6013c33500172cfccf0e8716c96bb196
- SHA512
  
  a54ea5e74c1320259b23d43e2eaadf83cf0705306df6dd1ba4bd4e9d77889d04449aa5161ad33165814a8b0f7baf41567537b721a048222f655216d1efdca56b
- SSDEEP
  
  384:Lu1hvWiWMmkNULg4viK3Ai44MXziJGUSJ0Pw6qVskjhj6Zxc6Xx0f3+hFx+gItIL:cvO
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wshratpersistencetrojan

behavioral2

wshratpersistencetrojan