MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WSHRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d
SHA3-384 hash: b8722e03bd218b455ac77133a9234ca9531956ea4353f4fbfdc55bcec33064ec43b7a526b5d47cdf46aaa4e1a9df385f
SHA1 hash: d5e3e212edfff00ff973a1cee17a8029364b87c6
MD5 hash: 46517b469ec589b249fe1990c0c460d9
humanhash: crazy-saturn-fifteen-fish
File name:DRAFTCOPY.098777-BILLADING-UPDATEDTRACKING99998YT6.exe
Download: download sample
Signature WSHRAT
Create hunting rule
File size:1'127'128 bytes
First seen:2023-01-13 10:57:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:/TbBv5rUiNuX1kSerCiPl/pkueDc/WufIPxRMa2tStaBAlfl:JB5Oezl/pkuXWgIPN264Sfl
Threatray 685 similar samples on MalwareBazaar
TLSH T1613512027AC19A72C0A319325A397B20B97DBD201F65CEDF67D1661DAA312D0E7317E3
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon eccc8c94d4d8e8f4 (21 x Formbook, 15 x AgentTesla, 5 x Loki)
Reporter Anonymous
Tags:exe wshrat

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
wshrat
Create hunting rule
ID:
1
File name:
DRAFTCOPY.098777-BILLADING-UPDATEDTRACKING99998YT6.exe
Verdict:
Malicious activity
Analysis date:
2023-01-03 19:57:56 UTC
Tags:
evasion trojan wshrat
Link:
https://app.any.run/tasks/d552b71c-894d-414f-8063-329b13c5e600

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352550/
Detection(s):
Win.Dropper.Nanocore-9981431-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Launching a process
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/59999/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien anti-vm greyware nanocore overlay packed ransomware setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63c1393b71fb096abeed7db1/reports/2ce0e91e-eec2-4c90-9a3d-68dda2c3a202/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/33be8d91-2f2d-4e19-a022-eb0fd982158d
Result
Threat name:
WSHRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1151003
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
Starts an encoded Visual Basic Script (VBE)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected AntiVM autoit script
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 783735 Sample: DRAFTCOPY.098777-BILLADING-... Startdate: 13/01/2023 Architecture: WINDOWS Score: 100 58 Sigma detected: Register Wscript In Run Key 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Antivirus detection for URL or domain 2->62 64 10 other signatures 2->64 10 DRAFTCOPY.098777-BILLADING-UPDATEDTRACKING99998YT6.exe 81 2->10         started        14 wscript.exe 2->14         started        16 wscript.exe 2->16         started        18 2 other processes 2->18 process3 file4 44 C:\Users\user\AppData\Local\...\fclliow.exe, PE32 10->44 dropped 84 Starts an encoded Visual Basic Script (VBE) 10->84 20 wscript.exe 1 10->20         started        86 Wscript called in batch mode (surpress errors) 14->86 23 wscript.exe 14->23         started        signatures5 process6 signatures7 66 System process connects to network (likely due to code injection or exploit) 20->66 68 Potential malicious VBS script found (suspicious strings) 20->68 70 Potential malicious VBS script found (has network functionality) 20->70 72 5 other signatures 20->72 25 fclliow.exe 2 20->25         started        process8 signatures9 76 Antivirus detection for dropped file 25->76 78 Multi AV Scanner detection for dropped file 25->78 80 Found API chain indicative of sandbox detection 25->80 82 3 other signatures 25->82 28 RegSvcs.exe 3 25->28         started        process10 file11 46 C:\Users\user\AppData\Roaming\WmBqH.vbs, assembler 28->46 dropped 88 Potential malicious VBS script found (suspicious strings) 28->88 90 Potential malicious VBS script found (has network functionality) 28->90 92 Potential evasive VBS script found (sleep loop) 28->92 32 wscript.exe 3 3 28->32         started        signatures12 process13 file14 40 C:\Users\user\AppData\Roaming\...\WmBqH.vbs, assembler 32->40 dropped 42 C:\Users\user\AppData\Local\Temp\WmBqH.vbs, assembler 32->42 dropped 54 Windows Shell Script Host drops VBS files 32->54 56 Wscript called in batch mode (surpress errors) 32->56 36 wscript.exe 15 32->36         started        signatures15 process16 dnsIp17 48 newmoney2033.duckdns.org 192.99.255.74, 5000 OVHFR Canada 36->48 50 ip-api.com 208.95.112.1, 49701, 80 TUT-ASUS United States 36->50 52 192.168.2.1 unknown unknown 36->52 74 System process connects to network (likely due to code injection or exploit) 36->74 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d/
Threat name:
Win32.Trojan.Houdini
Create hunting rule
Status:
Malicious
First seen:
2022-12-29 18:17:58 UTC
File Type:
PE (Exe)
Extracted files:
100
AV detection:
23 of 32 (71.88%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5g3tqfz2ymqafuwjpzzc3b7hjny6yaoutwslfk53ts2iulgxqgq._file
Verdict:
malicious
Similar samples:
594d61a4bcbcc6503743aae78c47f798557492ba9c0704c3aa188f528b50c5e3
WSHRAT
64359ddf637e15b2f3f8e0360d23caf8d2d5d51680b8709bde3eaa392978043a
WSHRAT
91a207926f0e26374d6a2a711aff82aeaf9bca709ffabd8d6f5b40ad3a301723
WSHRAT
b3abbc4d6ecd9a9774e53fca4639b59cd5e24fde9bf97742b046ece663eb2e41
WSHRAT
ced55c9b4b3dba810dc674575818bb4d9dc828d3df6efee4a15d85ac24abd69b
WSHRAT
dcef53803395ab07ecfa4230ae586003b507e875cd93bae17648c47b536a7622
WSHRAT
+ 675 additional samples on MalwareBazaar
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:wshrat persistence trojan
Link:
https://tria.ge/reports/230113-m2tjfsgd34/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
WSHRAT
WSHRAT payload
Unpacked files
SH256 hash:
a1c2a1e0e7afa29559f67eac4475756afd20208ba62c13f3ea8011b486456053
MD5 hash:
e789782c2ad230d328f5620fa52bf837
SHA1 hash:
abcefc7d0d20c1af103a7bcdeba5812052f283b5
Link:
https://www.unpac.me/results/26eab7f0-48dd-42d1-9144-1a8048420b98/
SH256 hash:
f160a3829ae28394bd6f6c319bedcfee60b52b1751d1c838ac8c8f10eb844b2c
MD5 hash:
f1ac6757573b856f245905a72b2c30ab
SHA1 hash:
746aa59d00c0821bfa10d46293d789502bee8350
Link:
https://www.unpac.me/results/26eab7f0-48dd-42d1-9144-1a8048420b98/
SH256 hash:
6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d
MD5 hash:
46517b469ec589b249fe1990c0c460d9
SHA1 hash:
d5e3e212edfff00ff973a1cee17a8029364b87c6
Link:
https://www.unpac.me/results/26eab7f0-48dd-42d1-9144-1a8048420b98/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f4db9c0b9d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

WSHRAT

Executable exe 6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/352550/

Comments