MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6c5cfb45f3ad2ad7140c002881e61cd8f292bba74813d9d2cd46510d3413661. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WSHRAT


Vendor detections: 9


Intelligence 9 IOCs 3 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6c5cfb45f3ad2ad7140c002881e61cd8f292bba74813d9d2cd46510d3413661
SHA3-384 hash: 0618ee32b8dad5fbef08f15fde8221fd392449a8fdf46ac1de1ab2a1a81c788a231f5b3d079a766032c465a3a7a0119c
SHA1 hash: 8220744ac87cd32a5d4445b7342bb3ca7a7d0754
MD5 hash: 8f0d80257ed844b8fe7dbf5ed3825bae
humanhash: alanine-sixteen-illinois-fix
File name:8F0D80257ED844B8FE7DBF5ED3825BAE.exe
Download: download sample
Signature WSHRAT
Create hunting rule
File size:721'352 bytes
First seen:2021-06-27 02:05:52 UTC
Last seen:2021-06-27 02:41:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:PM6WlLoxtuPJzFexiG0F3t9x3/MgKW7VBNliWn6e9:PM6WlLoadFKint0gnl
Threatray 265 similar samples on MalwareBazaar
TLSH ACE48D2E1AF1AF7DF90AC1B661C55D012FA0ED61AD8AE90FBB6E3C911F30515FE02542
Reporter abuse_ch
Tags:exe RAT wshrat


Avatar
abuse_ch
WSHRAT C2:
http://194.5.98.212:4001/is-ready

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.5.98.212:4001/is-ready https://threatfox.abuse.ch/ioc/154364/
http://194.5.98.212:4001/show-toast https://threatfox.abuse.ch/ioc/154365/
http://194.5.98.212:4001/moz-sdk https://threatfox.abuse.ch/ioc/154366/

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8F0D80257ED844B8FE7DBF5ED3825BAE.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-27 02:07:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ae169fba-1465-41cc-9bdb-f41397423b21

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.AgentTesla-FDAE8F0D80257ED8.31821.10325.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39e51732-a95a-4275-8fa6-3efb68f24e3e
Result
Threat name:
WSHRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808519
Signature
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440930 Sample: 975nbIb5Ho.exe Startdate: 27/06/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 9 other signatures 2->63 8 975nbIb5Ho.exe 3 10 2->8         started        12 wscript.exe 2->12         started        14 wscript.exe 2->14         started        16 wscript.exe 2->16         started        process3 file4 35 C:\Users\user\AppData\...\DOCUMENT.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\...\975nbIb5Ho.exe, PE32 8->37 dropped 39 C:\Users\...\DOCUMENT.exe:Zone.Identifier, ASCII 8->39 dropped 41 3 other malicious files 8->41 dropped 81 Creates an undocumented autostart registry key 8->81 83 Writes to foreign memory regions 8->83 85 Injects a PE file into a foreign processes 8->85 18 975nbIb5Ho.exe 2 8->18         started        22 wscript.exe 1 8->22         started        signatures5 process6 file7 33 C:\Users\user\AppData\Roaming\mUPVS.vbs, assembler 18->33 dropped 65 Multi AV Scanner detection for dropped file 18->65 67 Potential malicious VBS script found (suspicious strings) 18->67 69 Potential malicious VBS script found (has network functionality) 18->69 71 Machine Learning detection for dropped file 18->71 24 wscript.exe 6 503 18->24         started        73 System process connects to network (likely due to code injection or exploit) 22->73 75 Wscript starts Powershell (via cmd or directly) 22->75 77 Potential evasive VBS script found (sleep loop) 22->77 79 3 other signatures 22->79 29 powershell.exe 24 22->29         started        signatures8 process9 dnsIp10 51 194.5.98.212, 4001, 49727, 49734 DANILENKODE Netherlands 24->51 53 wshsoft.company 194.59.164.67, 49737, 80 AS-HOSTINGERLT Germany 24->53 55 2 other IPs or domains 24->55 43 C:\...\api-ms-win-crt-utility-l1-1-0.dll, PE32 24->43 dropped 45 C:\Users\...\api-ms-win-crt-time-l1-1-0.dll, PE32 24->45 dropped 47 C:\Users\...\api-ms-win-crt-string-l1-1-0.dll, PE32 24->47 dropped 49 361 other files (1 malicious) 24->49 dropped 87 System process connects to network (likely due to code injection or exploit) 24->87 89 Windows Shell Script Host drops VBS files 24->89 31 conhost.exe 29->31         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6c5cfb45f3ad2ad7140c002881e61cd8f292bba74813d9d2cd46510d3413661/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 10:28:47 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3c47nc7hljk24kayabiqhtbzwhssk52osat3hjm2rsrbu2bgzqq._file
Verdict:
suspicious
Similar samples:
26ab3342c41fb51bafa05e2dd9f74db1803b217e23e8e9e135cccfa805485af8
WSHRAT
3e75632899bd44ec5be0f6ad8ddd6b04f949a30527b6448c84a6b0f30f0a4087
WSHRAT
3e8934af50e74c540b281fbca3fe2ef70cfb46080cda20152817c8ee16389ba6
WSHRAT
5e1526ff008fb0bac26c27ae1260d723d3200351f84f9a7b9a3c5b50a05bc5fa
WSHRAT
6cfc4645669e0a0da0bec32b6099b13a0f907a8d54e7382dbaa0e27ed23f3ae6
WSHRAT
78396f7f4448c533637a2ceddd8cf6e94681b7f0c2c7b446c3db3704bda8b928
WSHRAT
a517552827e4823129d29a86c716decae6366d7bad5d8521ba6d1fd52547147d
WSHRAT
a58d9469e992503f643880102b279956e2672580e212a54ce896b1784f59526b
WSHRAT
c213019d25cbc62e3e385f7f6f342ce2b7f80736169cbe95e4c40c05f74c9bff
WSHRAT
cbf1c70941a14390d96393b397e3836d9c449b984b742d847a4a1f296f9e53db
WSHRAT
+ 255 additional samples on MalwareBazaar
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:wshrat persistence spyware stealer trojan
Link:
https://tria.ge/reports/210627-9x72qs6els/
Behaviour
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
WSHRAT
WSHRAT Payload
Unpacked files
SH256 hash:
1316fb3fe1e5ae97cc34c193c445a52e887eea06c7ad76d2b43a0e565df6db21
MD5 hash:
52378037bd5d11a77fb3af9adcd6329b
SHA1 hash:
bce029c7790fcba0d5d6f66cc3b75499844e7583
Link:
https://www.unpac.me/results/4976918a-0d4f-4818-aeb2-2e9e3e73469d/
SH256 hash:
9cb627caaf2a07471ded3b3eda21bf34442fca232b9a44d6258f0f16749b52a4
MD5 hash:
c3e02c88ba7263512f6d7723ef8dd633
SHA1 hash:
1d5da3f4f3bd4d1e60e91f9cf3db468249427d3f
Link:
https://www.unpac.me/results/4976918a-0d4f-4818-aeb2-2e9e3e73469d/
SH256 hash:
315e874ca73730965680e75e26dc2f8a440cadd9bf10fb0555e4159e1ff63349
MD5 hash:
77e836ce0a0b45918101988444dc7105
SHA1 hash:
0a6f86bd6cf88767f3c84e85e50e22d1870297a6
Link:
https://www.unpac.me/results/4976918a-0d4f-4818-aeb2-2e9e3e73469d/
SH256 hash:
a6c5cfb45f3ad2ad7140c002881e61cd8f292bba74813d9d2cd46510d3413661
MD5 hash:
8f0d80257ed844b8fe7dbf5ed3825bae
SHA1 hash:
8220744ac87cd32a5d4445b7342bb3ca7a7d0754
Link:
https://www.unpac.me/results/4976918a-0d4f-4818-aeb2-2e9e3e73469d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6c5cfb45f3ad2ad7140c002881e61cd8f292bba74813d9d2cd46510d3413661

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments