MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WSHRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments 1

SHA256 hash:	bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2
SHA3-384 hash:	d919576d11493aecb76b286ef4ce5baca4e80575399d274c807d38a43f64b9247da839cba6fac170c4dcb646ec149928
SHA1 hash:	c0450285843855e54b2b5aa7ee8d1a2f524218e9
MD5 hash:	263d8628ff6e9c99318da99bb42007f4
humanhash:	carpet-zulu-mobile-sweet
File name:	263d8628ff6e9c99318da99bb42007f4
Download:	download sample
Signature	WSHRAT Create hunting rule
File size:	2'088'960 bytes
First seen:	2023-09-19 10:07:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	1536:waXjwDPE6yzTBMfT9/8n+NwRw7ySsgWNybmXfaKHFjyRcf7tZ4G5tJJmmrvf/Fco:NYPFyzTBMfw+N/Zs/N4ovsWZ93co
Threatray	360 similar samples on MalwareBazaar
TLSH	T16AA53A9F2996628DB281BC514F7CF231C25D7AE56D364CB24EB70C2C566A6F08B2C713
TrID	28.5% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.2% (.EXE) Win32 Executable (generic) (4505/5/1) 5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	zbetcheckin
Tags:	32 exe wshrat

Intelligence

File Origin

# of uploads :

# of downloads :

325

Origin country :

Vendor Threat Intelligence

Malware family:

wshrat

ID:

File name:

bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2.zip

Verdict:

Malicious activity

Analysis date:

2023-09-19 15:07:05 UTC

Tags:

evasion wshrat remote

Link:

https://app.any.run/tasks/de855f4f-ce5d-4892-947f-5c836df54eaf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/449638/

Detection(s):

PUA.Win.Packed.ConfuserEx-6391397-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Creating a file in the %AppData% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a window

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP POST request

Creating a process with a hidden window

Creating a file in the mass storage device

Unauthorized injection to a system process

Enabling threat expansion on mass storage devices

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

confuser confuserex lolbin packed packed replace

Link:

https://www.filescan.io/uploads/65097303988a26b6d96e883f/reports/386e380f-927e-431c-9074-58827dcebfdc/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/625367f0-a990-4eda-aba5-4cdf1dc692a7

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1310692

Signature

Detected unpacking (changes PE section rights)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-09-19 10:08:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xmngbveom6sxwnr3ymjoah2nsgt5vz7euelfgflokvgunbly5dza._file

Verdict:

malicious

Label(s):

njrat

Result

Malware family:

wshrat

Score:

10/10

Tags:

family:wshrat spyware stealer trojan

Link:

https://tria.ge/reports/230919-l571ksad46/

Behaviour

Kills process with taskkill

Modifies system certificate store

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

NirSoft MailPassView

Nirsoft

WSHRAT

WSHRAT payload

Malware Config

C2 Extraction:

http://80.76.51.33:2606

Unpacked files

SH256 hash:

ad82d2c9f4e813b285f4b1d2d6dbc411237b5ae2f9054d4bbff0ad4eeb06be1b

MD5 hash:

b4a635503a8b633dd73d832a27049bb0

SHA1 hash:

f119670163e6c644b4183f78445f7580c9f42315

Link:

https://www.unpac.me/results/9149f91b-4dc4-4b36-ac6e-4cf9ea4738fc/

SH256 hash:

acbba986cf26cd68471d4826b5e637c784cbe85003ddb59fce1556471f72b208

MD5 hash:

6623308399f637b62312b90cdc655ea9

SHA1 hash:

5bf0a46642d032d9ca5a2fc6e4df91ec0800e812

Link:

https://www.unpac.me/results/9149f91b-4dc4-4b36-ac6e-4cf9ea4738fc/

SH256 hash:

bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2

MD5 hash:

263d8628ff6e9c99318da99bb42007f4

SHA1 hash:

c0450285843855e54b2b5aa7ee8d1a2f524218e9

Link:

https://www.unpac.me/results/9149f91b-4dc4-4b36-ac6e-4cf9ea4738fc/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bb1a60d48e67/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	MALWARE_Win_WSHRATPlugin Create hunting rule
Author:	ditekSHen
Description:	WSHRAT keylogger plugin payload

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	wsh_rat_keylogger Create hunting rule
Author:	jeFF0Falltrades
Description:	Alerts on the WSH RAT .NET keylogger module

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

WSHRAT

exe bb1a60d48e67a57b363bc312e01f4d91a7dae7e4a11653156e554d468578e8f2

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2712490/

Cape

https://www.capesandbox.com/analysis/449638/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-09-19 10:07:14 UTC

url : hxxp://194.180.49.211/bas/Rain.exe