MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WSHRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d
SHA3-384 hash: 97b2750e45c9acf53ff31b6e54d282f395155ad96300bc9b0483fb55d93469d3eb1f57a27b3ba6946477d5bf99e8ca58
SHA1 hash: 8e2abd5f01f36b38d3674847dff518e7a4eef897
MD5 hash: 384b434bcfeec7287cf02b7aefa06c52
humanhash: rugby-london-salami-twelve
File name:CV Actualis_.bin
Download: download sample
Signature WSHRAT
Create hunting rule
File size:1'795'889 bytes
First seen:2020-10-09 10:07:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 49152:HAI+4uCiBg4xu/dCXr3Fbbcnn7hB2KeOK6I5vJhSnEyQh:HAI+4ia4xu/Qb3p4feOLI5xgnPQh
Threatray 332 similar samples on MalwareBazaar
TLSH 9B85F1A4314180BBD0A375F0FC4FCA6031AB7DDF53B4964963E7BE2ED493212129B65A
Reporter JAMESWT_WT
Tags:bundle with slimpdf reader wshrat

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Wshrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69522/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Launching a process
Sending a UDP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Running batch commands
Creating a process with a hidden window
Searching for the window
Creating a file
Moving a recently created file
Setting a global event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Launching a tool to kill processes
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating a special LNK file
Result
Threat name:
WSHRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/486603
Signature
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Wscript called in batch mode (surpress errors)
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295746 Sample: CV Actualis_.bin Startdate: 09/10/2020 Architecture: WINDOWS Score: 66 63 Sigma detected: Register Wscript In Run Key 2->63 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 7 other signatures 2->69 9 CV Actualis_.exe 19 8 2->9         started        12 wscript.exe 2->12         started        15 wscript.exe 2->15         started        17 3 other processes 2->17 process3 file4 47 C:\...\InstallSlimPDFReader.exe, PE32 9->47 dropped 19 wscript.exe 3 3 9->19         started        23 InstallSlimPDFReader.exe 2 9->23         started        81 Wscript called in batch mode (surpress errors) 12->81 25 wscript.exe 12->25         started        signatures5 process6 file7 43 C:\Users\user\...\InstallSlimPDFReader.js, ASCII 19->43 dropped 75 Drops script or batch files to the startup folder 19->75 77 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 19->77 79 Wscript called in batch mode (surpress errors) 19->79 27 wscript.exe 15 19->27         started        45 C:\Users\user\...\InstallSlimPDFReader.tmp, PE32 23->45 dropped 32 InstallSlimPDFReader.tmp 5 23->32         started        signatures8 process9 dnsIp10 59 blackid-43205.portmap.io 138.197.189.80, 1118, 49752, 49753 DIGITALOCEAN-ASNUS United States 27->59 61 ip-api.com 208.95.112.1, 49751, 80 TUT-ASUS United States 27->61 49 C:\Users\user\AppData\Roaming\kl-plugin.exe, PE32 27->49 dropped 51 C:\Users\user\...\InstallSlimPDFReader.js, ASCII 27->51 dropped 83 System process connects to network (likely due to code injection or exploit) 27->83 34 kl-plugin.exe 501 27->34         started        37 cmd.exe 1 27->37         started        53 C:\Users\user\AppData\Local\...\itech.dll, PE32 32->53 dropped 55 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 32->55 dropped 57 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 32->57 dropped file11 signatures12 process13 signatures14 71 Antivirus detection for dropped file 34->71 73 Multi AV Scanner detection for dropped file 34->73 39 taskkill.exe 1 37->39         started        41 conhost.exe 37->41         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d/
Threat name:
Win32.Worm.Vjworm
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 10:07:26 UTC
File Type:
PE (Exe)
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bktq44yggspmd45spvudx6z724l7eqxinniiwqcr4nurywcpx6gq._file
Verdict:
suspicious
Similar samples:
06c470803b445fa48419f5840100b63e2248b72e64c6c0ef47c44c07ff36d2a9
WSHRAT
171cdb20356526d876e7b749054b5d84784ff0fa9e588a147a4a3bc7612efd74
WSHRAT
272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
WSHRAT
341847d9c11face1487ab04072d6ddc5065a379011c6684e56e1f4fa8d8ab3f3
WSHRAT
3a7f7b56d9b3c6996f00bd40b7ff5d70e0ce858fc76cc0d89f603a26c34e9e5c
WSHRAT
4565f479379c6d8becb5a570237caccf1756197dee9496e2da13511aae0800c7
WSHRAT
7ee9786ce295430044ac02259ca43dd92a036f3146533b308dca24f87e05edd4
WSHRAT
9617dc1938ef945ab37282b04d7d083412485c144dd60c96d68f508da8a1a7c1
WSHRAT
aa0391688fb348eaa32856bcf0caca596177985f4dd9733f69ab2018ba8d1ff7
WSHRAT
d5445db0317af2ab05690f7037065681f908b3ae4da8d53ff5160b6627d74aac
WSHRAT
+ 322 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence discovery
Link:
https://tria.ge/reports/201009-pk6qvejm4e/
Behaviour
Kills process with taskkill
Script User-Agent
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Drops file in Program Files directory
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d
MD5 hash:
384b434bcfeec7287cf02b7aefa06c52
SHA1 hash:
8e2abd5f01f36b38d3674847dff518e7a4eef897
Link:
https://www.unpac.me/results/769cb33c-1096-4488-bf09-ea729b6cc863/
SH256 hash:
ae802402022b7a23c5d9e6863c9587102bbc04dbcd2fb4b087309e93a7dedd34
MD5 hash:
78fd8cbc65d21ae9d82da0c6e5d9bedc
SHA1 hash:
a49e539502ba74b0eb466104f4d5335fc018adc4
Link:
https://www.unpac.me/results/769cb33c-1096-4488-bf09-ea729b6cc863/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/769cb33c-1096-4488-bf09-ea729b6cc863/
SH256 hash:
e3b16057ccbf59a0026a0d9e257092786ed597b910a859919cb43a3eb9ba3e8f
MD5 hash:
3dd10a9d504deed70f217eff2c3113d1
SHA1 hash:
21203b5684c719ef07c4e3a091ba6878a47bc8d9
Link:
https://www.unpac.me/results/769cb33c-1096-4488-bf09-ea729b6cc863/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Jenxcus
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69522/

Comments