MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e0a11e68c1edd3854a74a91c3c9c33cfc531bb27cd4860ee09230b8311e45eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WSHRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	1e0a11e68c1edd3854a74a91c3c9c33cfc531bb27cd4860ee09230b8311e45eb
SHA3-384 hash:	c5cd772ee81894b2da971bc5490456f15a8c1327995a8cd3bf30346ef0df9a0e7db2863b226263d9e6f22ad88a02649e
SHA1 hash:	c9371dc48b087f511e369dce0fc7f4de30b420cf
MD5 hash:	0cbced12534e530e9ef33ef2fe01064f
humanhash:	mountain-texas-chicken-lithium
File name:	adobe.js
Download:	download sample
Signature	WSHRAT Create hunting rule
File size:	313'135 bytes
First seen:	2025-05-21 08:46:02 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	1536:KPLcRFKsl3OhnYqFZFLsFCQy8qyUcy9y9y9y9y9y9y9y9y9y9y9y9y9y9y9yUwGa:KC
TLSH	T17D649F81D7DB273A16977A09F308B5ADB1E0A719C90B7FDF71A13788DA29617D300A1C
Magika	javascript
Reporter	JAMESWT_WT
Tags:	js umar050connect-kozow-com wshrat

Intelligence

File Origin

# of uploads :

# of downloads :

554

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Other.Malware-gen.1725.16285.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=682d92e82f280a98fb42c987

Tags:

autorun cryxos

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd evasive explorer lolbin lolbin obfuscated persistence wscript

Link:

https://www.filescan.io/uploads/682d92f0bff72ff46b675ccd/reports/6a3e5f33-1cc3-4eb0-a8bf-362b435ac61d/overview

Verdict:

Malicious

Labled as:

Trojan.Cryxos.JS

Link:

https://www.hybrid-analysis.com/sample/1e0a11e68c1edd3854a74a91c3c9c33cfc531bb27cd4860ee09230b8311e45eb

Result

Threat name:

WSHRat

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1695748

Signature

C2 URLs / IPs found in malware configuration

Detected WSHRat

Drops script or batch files to the startup folder

Found malware configuration

JavaScript source code contains call to eval containing suspicious API calls

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

JScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for submitted file

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: Drops script at startup location

Sigma detected: Register Wscript In Run Key

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

System process connects to network (likely due to code injection or exploit)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript called in batch mode (surpress errors)

Yara detected WSHRAT

Behaviour

Behavior Graph:

Download SVG

Score:

96%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/1e0a11e68c1edd3854a74a91c3c9c33cfc531bb27cd4860ee09230b8311e45eb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1e0a11e68c1edd3854a74a91c3c9c33cfc531bb27cd4860ee09230b8311e45eb/

Threat name:

Script-JS.Trojan.Cryxos

Status:

Malicious

First seen:

2025-05-19 23:31:11 UTC

File Type:

Text (JavaScript)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dyfbdzumd3otqvfhjki4hsodht6fgg5sptkimdxasiylqmi6ixvq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

execution persistence

Link:

https://tria.ge/reports/250521-kpg9jstrt2/

Behaviour

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Adds Run key to start application

Drops startup file

Blocklisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Backdoor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1e0a11e68c1edd3854a74a91c3c9c33cfc531bb27cd4860ee09230b8311e45eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample