wshrat | 429b44e4d42d801dad356adfdcb434b29fc3bf1e24a750481b5a93742400b8e2

General

Target

BLindex.exe
Size

1.1MB
MD5

d070bf6585deded9e331ae77de76fcc4
SHA1

74c5e44d48b86414cbe8e604bb24fe03a5ced634
SHA256

a2b55ffb492faeced1033c534e4f462d3c0ac9f914f991361ba67067538a05d1
SHA512

b5e146eb60acbb68c2385370784f9fa5e8ba8e221ef5fffbe16ebb58108314ef7c0941d51e35608f108666e3093286c636e59931eb0286a6075a57ee52b3c0e8
SSDEEP

24576:Yma+QZG0nbLYR1yTb6h0BacWadNihTIvGn7Rk3w6hWNudTzIfAH:jcZnbLYXyTb6oacjosOu8O0G

Score

10^/10

wshrat discovery persistence trojan

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cc6-18.dat	family_wshrat

Wshrat family
wshrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
35	3048	wscript.exe
36	3048	wscript.exe
37	1616	wscript.exe
38	1616	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	BLindex.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fLOqD.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fLOqD.vbs	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fLOqD = "wscript.exe //B \"C:\\Users\\Admin\\fLOqD.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fLOqD = "wscript.exe //B \"C:\\Users\\Admin\\fLOqD.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fLOqD = "wscript.exe //B \"C:\\Users\\Admin\\fLOqD.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fLOqD = "wscript.exe //B \"C:\\Users\\Admin\\fLOqD.vbs\""	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
34	pastebin.com
36	pastebin.com
38	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3728 set thread context of 4332	3728	BLindex.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLindex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLindex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4332	3728	BLindex.exe	101
PID 3728 wrote to memory of 4332	3728	BLindex.exe	101
PID 3728 wrote to memory of 4332	3728	BLindex.exe	101
PID 3728 wrote to memory of 4332	3728	BLindex.exe	101
PID 3728 wrote to memory of 4332	3728	BLindex.exe	101
PID 3728 wrote to memory of 4332	3728	BLindex.exe	101
PID 3728 wrote to memory of 4332	3728	BLindex.exe	101
PID 3728 wrote to memory of 4332	3728	BLindex.exe	101
PID 4332 wrote to memory of 3048	4332	BLindex.exe	102
PID 4332 wrote to memory of 3048	4332	BLindex.exe	102
PID 4332 wrote to memory of 3048	4332	BLindex.exe	102
PID 3048 wrote to memory of 1616	3048	wscript.exe	104
PID 3048 wrote to memory of 1616	3048	wscript.exe	104
PID 3048 wrote to memory of 1616	3048	wscript.exe	104

C:\Users\Admin\AppData\Local\Temp\BLindex.exe
"C:\Users\Admin\AppData\Local\Temp\BLindex.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\BLindex.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\fLOqD.vbs
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\fLOqD.vbs"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLindex.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Roaming\fLOqD.vbs

Filesize
180KB

MD5
ce5fbaa17fce4e39f31933337914f6e0

SHA1
7a81083f65a156ebc2895eb89e693853e1e73e15

SHA256
13b1302f2e0c9fbfebba0ff3f133d2403a03eed5d66f60121dc26549180c4f50

SHA512
61da1f1a932dafa4fbff53eef61c076ef0fdb0120853f724a02f2322804c69e00c001b5afba003bc5fbc2ab1269b646d488c1baaf840075206d48c6cf53d6ffe

Download Submit
memory/3728-4-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/3728-9-0x0000000008F70000-0x0000000009060000-memory.dmp

Filesize
960KB

Download
memory/3728-0-0x00000000752CE000-0x00000000752CF000-memory.dmp

Filesize
4KB

Download
memory/3728-5-0x0000000002C40000-0x0000000002C4A000-memory.dmp

Filesize
40KB

Download
memory/3728-6-0x0000000008BD0000-0x0000000008BDA000-memory.dmp

Filesize
40KB

Download
memory/3728-7-0x00000000752CE000-0x00000000752CF000-memory.dmp

Filesize
4KB

Download
memory/3728-8-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/3728-3-0x0000000007780000-0x0000000007812000-memory.dmp

Filesize
584KB

Download
memory/3728-10-0x000000000A5A0000-0x000000000A63C000-memory.dmp

Filesize
624KB

Download
memory/3728-1-0x0000000000760000-0x000000000088A000-memory.dmp

Filesize
1.2MB

Download
memory/3728-2-0x0000000007D30000-0x00000000082D4000-memory.dmp

Filesize
5.6MB

Download
memory/3728-14-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4332-15-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4332-17-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4332-11-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads