wshrat | fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05 | Triage

Submit
Reports

Overview

overview

Static

static

1

fad0c2df71...d05.js

windows7-x64

fad0c2df71...d05.js

windows10-2004-x64

Sharing

General

Target

fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05.js
Size

7KB
Sample

240529-njlxbsdf38
MD5

8a006c1466998c2bde5fa110296bf4da
SHA1

38f5819efe2bfece434ff9de7ce327ad1dab920a
SHA256

fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05
SHA512

f90be849f383d9919c8463b4041d1e89a4de5e47cf9ef1dcb21f8af0d326857ce45e75c7100aed1c217b885a077001cfa50bb7489144f5f010e84b20c3d19ece
SSDEEP

96:p8KvZU3TRRkyPWXsy7jZRZcmq74qe0tJLgy0c15Q:rsTRAL/ure0tFgc8

Score

10^/10

wshrat execution persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05.js

Resource

win7-20240419-en

wshrat execution persistence trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05.js

Resource

win10v2004-20240508-en

wshrat execution persistence trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

- Target
  
  fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05.js
- Size
  
  7KB
- MD5
  
  8a006c1466998c2bde5fa110296bf4da
- SHA1
  
  38f5819efe2bfece434ff9de7ce327ad1dab920a
- SHA256
  
  fad0c2df718c20c0615e237b5da75f6e93a867d7168921a6af3afb41834b4d05
- SHA512
  
  f90be849f383d9919c8463b4041d1e89a4de5e47cf9ef1dcb21f8af0d326857ce45e75c7100aed1c217b885a077001cfa50bb7489144f5f010e84b20c3d19ece
- SSDEEP
  
  96:p8KvZU3TRRkyPWXsy7jZRZcmq74qe0tJLgy0c15Q:rsTRAL/ure0tFgc8
Score

10^/10

wshrat execution persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

wshratexecutionpersistencetrojan

behavioral2

wshratexecutionpersistencetrojan

© 2018-2024

Terms | Privacy