MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 577b3a152ddc9d6558ad1b38ef6da89257229adf06d298ea025048a6d5d2fcea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WSHRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 577b3a152ddc9d6558ad1b38ef6da89257229adf06d298ea025048a6d5d2fcea
SHA3-384 hash: bea3a9625ff4ccc8a7e1e4bdfdaa7cdc074a6f1cca7595d83916e9b1b7e84043b448bcec88d2adecf50237d4b05718d0
SHA1 hash: 6f2c63adcdda5114299344058464016be1a87c70
MD5 hash: 6b262e3cfe7e64378337669bbdf768fb
humanhash: artist-jupiter-music-pasta
File name:6b262e3cfe7e64378337669bbdf768fb
Download: download sample
Signature WSHRAT
Create hunting rule
File size:622'080 bytes
First seen:2023-09-29 11:44:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 12288:dh1Lk70TnvjcZsqnY9LH8Vaxc07BK9GGjcCUfHP2kuGZiCKAzDN/ELq:Zk70TrcZr3ycKNubUfHDFkCK8h/1
TLSH T16AD4122174C0C2B2D4B7107240E6CB769A7A7076077AA2D7B79D5BBA2F122E093353CD
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe wshrat

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451965/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin net_reactor packed packed
Link:
https://www.filescan.io/uploads/6516b8c333582f234e06e337/reports/a06a5a3f-1f36-4640-b9dc-ad3270e12a55/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/577b3a152ddc9d6558ad1b38ef6da89257229adf06d298ea025048a6d5d2fcea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01ee6223-b60d-45d0-86a9-efea18c172e0
Result
Threat name:
RedLine, WSHRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316495
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains VNC / remote desktop functionality (version string found)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Register Wscript In Run Key
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected RedLine Stealer
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1316495 Sample: X5syM7G5V6.exe Startdate: 29/09/2023 Architecture: WINDOWS Score: 100 38 Sigma detected: Register Wscript In Run Key 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 13 other signatures 2->44 7 X5syM7G5V6.exe 1 2->7         started        10 wscript.exe 2->10         started        12 wscript.exe 2->12         started        14 wscript.exe 2->14         started        process3 signatures4 46 Writes to foreign memory regions 7->46 48 Allocates memory in foreign processes 7->48 50 Injects a PE file into a foreign processes 7->50 16 CasPol.exe 5 7->16         started        20 BackgroundTransferHost.exe 13 7->20         started        process5 file6 26 C:\Users\user\AppData\Roaming\mGxdd.vbs, assembler 16->26 dropped 32 Potential malicious VBS script found (suspicious strings) 16->32 34 Potential malicious VBS script found (has network functionality) 16->34 36 Potential evasive VBS script found (sleep loop) 16->36 22 wscript.exe 3 15 16->22         started        signatures7 process8 dnsIp9 28 2.59.254.111, 2420, 49777, 49778 CMCSUS Germany 22->28 30 ip-api.com 208.95.112.1, 49776, 80 TUT-ASUS United States 22->30 52 System process connects to network (likely due to code injection or exploit) 22->52 54 May check the online IP address of the machine 22->54 56 Contains VNC / remote desktop functionality (version string found) 22->56 58 2 other signatures 22->58 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/577b3a152ddc9d6558ad1b38ef6da89257229adf06d298ea025048a6d5d2fcea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-22 23:58:57 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k55tufjn3sowkwfndm4o63nisjlsfgw7a3jjr2qckbeknvos7tva._file
Verdict:
malicious
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:wshrat persistence trojan
Link:
https://tria.ge/reports/230929-nwqq2sbf37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Blocklisted process makes network request
WSHRAT
WSHRAT payload
Unpacked files
SH256 hash:
2ab3955e32ac08fcbdd811bd04b90b87094c0cbb3b30bfd76d4b748b4c14d7d9
MD5 hash:
37107b93236460fd679efddea908853d
SHA1 hash:
b3d6a7352cb87a9e8ccf2df263c469a78f7b04ca
Link:
https://www.unpac.me/results/60854740-7fbc-416a-b2b4-26d8ceae9029/
SH256 hash:
14fed88fea6ad9bec8ad1ec80fb53b340bb3e8c3b3c19bf16adfb94728a49d42
MD5 hash:
14ec02f7c5debcf3590f0aeb36abfcc0
SHA1 hash:
810ef1d903953f6deedb1885dc44deeb8aadded8
Link:
https://www.unpac.me/results/60854740-7fbc-416a-b2b4-26d8ceae9029/
SH256 hash:
acbba986cf26cd68471d4826b5e637c784cbe85003ddb59fce1556471f72b208
MD5 hash:
6623308399f637b62312b90cdc655ea9
SHA1 hash:
5bf0a46642d032d9ca5a2fc6e4df91ec0800e812
Link:
https://www.unpac.me/results/60854740-7fbc-416a-b2b4-26d8ceae9029/
SH256 hash:
a0ee367f92796ac4cd024f4adf6d2adc21474ba07b81b9ce94429d07e7be13a9
MD5 hash:
49e55635caec37322fe22b439460c0fd
SHA1 hash:
2cb103408b9b7212f97fd2c26674c2cbc207a731
Link:
https://www.unpac.me/results/60854740-7fbc-416a-b2b4-26d8ceae9029/
SH256 hash:
577b3a152ddc9d6558ad1b38ef6da89257229adf06d298ea025048a6d5d2fcea
MD5 hash:
6b262e3cfe7e64378337669bbdf768fb
SHA1 hash:
6f2c63adcdda5114299344058464016be1a87c70
Link:
https://www.unpac.me/results/60854740-7fbc-416a-b2b4-26d8ceae9029/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/577b3a152ddc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/577b3a152ddc9d6558ad1b38ef6da89257229adf06d298ea025048a6d5d2fcea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

WSHRAT

Executable exe 577b3a152ddc9d6558ad1b38ef6da89257229adf06d298ea025048a6d5d2fcea

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2715030/
Cape
Cape
https://www.capesandbox.com/analysis/451965/

Comments


Avatar
zbet commented on 2023-09-29 11:44:34 UTC

url : hxxp://194.180.49.211/bas/RAINN.exe