MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57c2349f1ebc638572ed4c2566fbae3293e1b933561d9f7dd47aac8826442eed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WSHRAT


Vendor detections: 8


Intelligence 8 IOCs 5 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57c2349f1ebc638572ed4c2566fbae3293e1b933561d9f7dd47aac8826442eed
SHA3-384 hash: b35cbe273baeb04ae9c75a2899441e26fd3884ded9b5a003e6e2eb14b693d79813327fb227d9e5d50dc4624351466bee
SHA1 hash: 094cee40bb4b0b9cd8e9f4614c298988f4221c09
MD5 hash: 1bfd1b738f6291505115453205aade5e
humanhash: lion-winter-fruit-comet
File name:NewPurchaseOrderForJune.exe
Download: download sample
Signature WSHRAT
Create hunting rule
File size:774'144 bytes
First seen:2021-06-17 02:41:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Z21Ehlm4S4F3M9ySm2iNEsSlIqVi1wpR/CzfcSnNlvN4RJXMqs7FxJIYc1:Z80Wa1ulVawpR/AfbvN4XpoFxeYc
Threatray 908 similar samples on MalwareBazaar
TLSH 88F4CF243AFEA129F173EF355AD07586DAAFF6633703D85D2891038B4623A41DEC153A
Reporter abuse_ch
Tags:exe RAT wshrat


Avatar
abuse_ch
WSHRAT C2:
http://104.161.42.236:6500/is-ready

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://104.161.42.236:6500/is-ready https://threatfox.abuse.ch/ioc/131445/
http://104.161.42.236:6500/moz-sdk https://threatfox.abuse.ch/ioc/131446/
http://104.161.42.236:6500/give-me-chpv https://threatfox.abuse.ch/ioc/131447/
http://104.161.42.236:6500/give-me-ffpv https://threatfox.abuse.ch/ioc/131448/
http://104.161.42.236:6500/ie https://threatfox.abuse.ch/ioc/131449/

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NewPurchaseOrderForJune.exe
Verdict:
Malicious activity
Analysis date:
2021-06-17 02:44:28 UTC
Tags:
evasion trojan stealer wshrat dunihi
Link:
https://app.any.run/tasks/3ca5c5f5-4f91-4bc8-a40c-2826fc915fca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe4875aa-cb3a-4fad-8623-a880833d5049
Result
Threat name:
WSHRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803440
Signature
Adds a directory exclusion to Windows Defender
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Shell Script Host drops VBS files
Wscript called in batch mode (surpress errors)
Yara detected AntiVM3
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435851 Sample: NewPurchaseOrderForJune.exe Startdate: 17/06/2021 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Yara detected AntiVM3 2->72 74 9 other signatures 2->74 7 NewPurchaseOrderForJune.exe 7 2->7         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        15 3 other processes 2->15 process3 file4 44 C:\Users\user\AppData\...\IWBdllKaYAy.exe, PE32 7->44 dropped 46 C:\Users\...\IWBdllKaYAy.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmpB26C.tmp, XML 7->48 dropped 50 C:\Users\...50ewPurchaseOrderForJune.exe.log, ASCII 7->50 dropped 76 Potential malicious VBS script found (suspicious strings) 7->76 78 Potential malicious VBS script found (has network functionality) 7->78 80 Potential evasive VBS script found (sleep loop) 7->80 86 3 other signatures 7->86 17 NewPurchaseOrderForJune.exe 7->17         started        21 powershell.exe 24 7->21         started        23 powershell.exe 24 7->23         started        27 2 other processes 7->27 82 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 11->82 84 Wscript called in batch mode (surpress errors) 11->84 25 wscript.exe 13->25         started        signatures5 process6 dnsIp7 60 192.168.2.1 unknown unknown 17->60 42 C:\Users\user\AppData\Roaming\WPXhb.vbs, assembler 17->42 dropped 29 wscript.exe 17->29         started        34 conhost.exe 21->34         started        36 conhost.exe 23->36         started        38 conhost.exe 27->38         started        40 conhost.exe 27->40         started        file8 process9 dnsIp10 62 104.161.42.236, 49705, 49706, 49707 IOFLOODUS United States 29->62 64 wshsoft.company 194.59.164.67, 49709, 80 AS-HOSTINGERLT Germany 29->64 66 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 29->66 52 C:\Users\user\AppData\Roaming\...\WPXhb.vbs, assembler 29->52 dropped 54 C:\...\api-ms-win-crt-utility-l1-1-0.dll, PE32 29->54 dropped 56 C:\Users\...\api-ms-win-crt-time-l1-1-0.dll, PE32 29->56 dropped 58 46 other files (none is malicious) 29->58 dropped 88 System process connects to network (likely due to code injection or exploit) 29->88 90 Potential malicious VBS script found (suspicious strings) 29->90 92 Potential malicious VBS script found (has network functionality) 29->92 94 5 other signatures 29->94 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57c2349f1ebc638572ed4c2566fbae3293e1b933561d9f7dd47aac8826442eed/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 02:42:11 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7bdjhy6xrryk4xnjqswn65ogkj6dojtkyoz67oupkwiqjsef3wq._file
Verdict:
unknown
Similar samples:
054d100afdadfa10c55b97562d697358e8189b4d9414403626a480a7d4474c96
WSHRAT
6ff2bdc1f84168996dc5e78e976f7ea1a8db3727d051d9a76aefb401db0bae52
WSHRAT
85729ea0b65a0a56b59f3e8ed961d4ce07f34804fb6b466b6d1c32e17cda4d8d
WSHRAT
8cfcf36016d933b2dee4ecea9f2d0416444fda668345c0cf82845f49962cd013
WSHRAT
a13d885104ce1f6005c956cb50e82aec853b48b98c881d6b71fda31580f139f7
WSHRAT
a43e700d308ec72f30fd4098b7d4113b83c244d3679f4b59f26f7f309ebefdcc
WSHRAT
a63c16cb1a26010951dc0d60261f95b7236cd70c4843e906503ba7421ee139e2
WSHRAT
b775f99027bd54675dc308d80174478b62f33f6c432a7e2849ddf970b118bf41
WSHRAT
d05137187ad1369e08988ebedf21dbe0eb3b17de4dc580d933a0a3a996ce0f8d
WSHRAT
e141c331bbc43440e353a82fd9ac6e5446d6d9a6da6882026a086e34bb44f0f6
WSHRAT
+ 898 additional samples on MalwareBazaar
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:wshrat persistence trojan
Link:
https://tria.ge/reports/210617-pb6gbnfc5a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Blocklisted process makes network request
WSHRAT
WSHRAT Payload
Unpacked files
SH256 hash:
92ae1b933de3b46a0208ef75f65699716926fa0cea1afd74fc424b8afde249ce
MD5 hash:
0f5baeb5436502a670de5e6b88984ff3
SHA1 hash:
e3b11d344778b0de8e8e9261e519119c0872839e
Link:
https://www.unpac.me/results/2a4c17e9-6628-4571-80ad-6d2a9c0bf175/
SH256 hash:
57c2349f1ebc638572ed4c2566fbae3293e1b933561d9f7dd47aac8826442eed
MD5 hash:
1bfd1b738f6291505115453205aade5e
SHA1 hash:
094cee40bb4b0b9cd8e9f4614c298988f4221c09
Link:
https://www.unpac.me/results/2a4c17e9-6628-4571-80ad-6d2a9c0bf175/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57c2349f1ebc638572ed4c2566fbae3293e1b933561d9f7dd47aac8826442eed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments