Malware Analysis Report

2025-04-14 08:20

Sample ID 250325-xthgbsvjz2
Target 3aba14649b590ad2ae66902bcb8f5411ec579df5de9e7edb543eafe1183eeec7.zip
SHA256 3aba14649b590ad2ae66902bcb8f5411ec579df5de9e7edb543eafe1183eeec7
Tags
wshrat execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3aba14649b590ad2ae66902bcb8f5411ec579df5de9e7edb543eafe1183eeec7

Threat Level: Known bad

The file 3aba14649b590ad2ae66902bcb8f5411ec579df5de9e7edb543eafe1183eeec7.zip was found to be: Known bad.

Malicious Activity Summary

wshrat execution persistence trojan

WSHRAT payload

WSHRAT

Wshrat family

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-25 19:08

Signatures

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Wshrat family

wshrat

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-25 19:08

Reported

2025-03-25 19:11

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

Signatures

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Wshrat family

wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 3044 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2284 wrote to memory of 3044 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2284 wrote to memory of 3044 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 anekemoney.com udp

Files

C:\Users\Admin\AppData\Roaming\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

MD5 2852bd566a1ec01b41c53e4e738c6f4a
SHA1 f777cd9e907866bfb9e5513c94fc84f2dcd2cd3a
SHA256 d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb
SHA512 f1a75eb649375c2dd18072977e8ebd04988c705a3ecbca10e5cf5bda1e5886e26d66380467d221efbbaf3137128fda8fe62af61f728769dd47abfd79bf0f7e17

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-25 19:08

Reported

2025-03-25 19:11

Platform

win10v2004-20250313-en

Max time kernel

148s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

Signatures

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Wshrat family

wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 768 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2984 wrote to memory of 768 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp
US 8.8.8.8:53 anekemoney.com udp

Files

C:\Users\Admin\AppData\Roaming\d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb.js

MD5 2852bd566a1ec01b41c53e4e738c6f4a
SHA1 f777cd9e907866bfb9e5513c94fc84f2dcd2cd3a
SHA256 d56c3c009248c55acb99fa5d7c66ca8d6555a3559b66b69aeff99327aa9e2beb
SHA512 f1a75eb649375c2dd18072977e8ebd04988c705a3ecbca10e5cf5bda1e5886e26d66380467d221efbbaf3137128fda8fe62af61f728769dd47abfd79bf0f7e17