MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c512faa4840c22633e33fa04de7c23ff972c97147ce9599de5c9d2326f01a589. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WSHRAT


Vendor detections: 9


Intelligence 9 IOCs 2 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c512faa4840c22633e33fa04de7c23ff972c97147ce9599de5c9d2326f01a589
SHA3-384 hash: e90bd1ea7315a90014dc5854989bb1b9b81f5dfa5f5648201b00dbf22f433dbf11b020fb1f9c742c8ec451e88def27b2
SHA1 hash: ba9b27dee76cfc6c66c8ed072c308bf55b883fa1
MD5 hash: 5a1c357efa9ac8762c9fe7a2e9a9fb60
humanhash: equal-mississippi-jersey-missouri
File name:Purchase Order-5762G.exe
Download: download sample
Signature WSHRAT
Create hunting rule
File size:1'492'992 bytes
First seen:2022-10-05 09:10:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:OnjogvxwuN3KfnWZQzjFeM6DJOjB9sTTHyCNQfLGYgkA/zHanLTB5fKIEbNPTz31:jnYQb6VOuGN5CIqNrR
Threatray 1'082 similar samples on MalwareBazaar
TLSH T118655BF490AB04E6E80BADD0297C7DE2427179F3CDD90921136DF6048FBBD69AE0855B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon ecf0c68ac2c298f2 (60 x SnakeKeylogger, 14 x Formbook, 6 x AgentTesla)
Reporter abuse_ch
Tags:exe RAT wshrat


Avatar
abuse_ch
WSHRAT C2:
http://rze6.sytes.net:4000/is-ready

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://rze6.sytes.net:4000/is-ready https://threatfox.abuse.ch/ioc/870781/
45.155.165.70:4000 https://threatfox.abuse.ch/ioc/870782/

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316776/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/633d4a27c9e2f3435432cf02/reports/39beec99-bc41-48f6-ba94-ef23b098b144/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/68fa153c-d29f-4d90-8275-b8102fdb2b74
Result
Threat name:
DarkCloud, WSHRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083968
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for dropped file
Creates multiple autostart registry keys
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes or reads registry keys via WMI
Wscript called in batch mode (surpress errors)
Yara detected Costura Assembly Loader
Yara detected DarkCloud
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 716527 Sample: Purchase Order-5762G.exe Startdate: 05/10/2022 Architecture: WINDOWS Score: 100 57 rze6.sytes.net 2->57 63 Sigma detected: Register Wscript In Run Key 2->63 65 Snort IDS alert for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 16 other signatures 2->69 8 Purchase Order-5762G.exe 4 6 2->8         started        12 Utmlnipujo.exe 1 2->12         started        14 wscript.exe 2->14         started        16 3 other processes 2->16 signatures3 process4 dnsIp5 45 C:\Users\user\AppData\...\Utmlnipujo.exe, PE32 8->45 dropped 47 C:\Users\...\Utmlnipujo.exe:Zone.Identifier, ASCII 8->47 dropped 49 C:\Users\...\Kdhoqovmlksvtmlssofjbtobuild.js, ASCII 8->49 dropped 51 C:\Users\...\Purchase Order-5762G.exe.log, ASCII 8->51 dropped 81 Encrypted powershell cmdline option found 8->81 83 Creates multiple autostart registry keys 8->83 85 Injects a PE file into a foreign processes 8->85 19 wscript.exe 3 3 8->19         started        23 Purchase Order-5762G.exe 1 16 8->23         started        26 powershell.exe 16 8->26         started        28 Purchase Order-5762G.exe 8->28         started        87 Multi AV Scanner detection for dropped file 12->87 89 Machine Learning detection for dropped file 12->89 30 powershell.exe 12->30         started        91 System process connects to network (likely due to code injection or exploit) 14->91 93 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 14->93 53 rze6.sytes.net 16->53 file6 signatures7 process8 dnsIp9 39 C:\Users\...\Kdhoqovmlksvtmlssofjbtobuild.js, ASCII 19->39 dropped 41 C:\Users\...\Kdhoqovmlksvtmlssofjbtobuild.js, ASCII 19->41 dropped 71 Drops script or batch files to the startup folder 19->71 73 Creates multiple autostart registry keys 19->73 75 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 19->75 77 Wscript called in batch mode (surpress errors) 19->77 32 wscript.exe 7 19->32         started        59 showip.net 162.55.60.2, 49708, 80 ACPCA United States 23->59 61 192.168.2.1 unknown unknown 23->61 43 C:\Users\user\AppData\...\fireless.exe, PE32 23->43 dropped 79 Tries to harvest and steal browser information (history, passwords, etc) 23->79 35 conhost.exe 26->35         started        37 conhost.exe 30->37         started        file10 signatures11 process12 dnsIp13 55 rze6.sytes.net 45.155.165.70, 4000, 49706, 49707 AGROSVITUA Russian Federation 32->55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c512faa4840c22633e33fa04de7c23ff972c97147ce9599de5c9d2326f01a589/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 09:11:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yujpvjeebqrggprt7icn47bd76lszfyuptuvthpfzhjde3ybuweq._file
Verdict:
malicious
Similar samples:
7ef24f6499dd9fc7809783a98febc44c2dc25a3f74d02c9bf8ddbae0d3b781c6
WSHRAT
8662c5563163a4bfd38e68eee91831b3c07e30c022ec54bc58c381c53bb1f679
WSHRAT
b950dcbb1211c4300becf8cf343e287a2bb849d042310ce3aed90e354db2b75c
WSHRAT
be78978207530d3d0ba4a346c6276ced6ac73401dd86b400d6fdfc7f8c8e4b01
WSHRAT
ca943cad4feb48b7da378e205184231cd95928e5dff61300fba10d15b142d333
WSHRAT
d44feec60d3050d9ae9da6cfe01f8f9f44c2b73890017dbed49a1c6f048374ee
WSHRAT
d57321805b57d9a004d652b7d8b00d9045d6940800653374e2a47c7dad2e9196
WSHRAT
+ 1'072 additional samples on MalwareBazaar
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:wshrat persistence trojan
Link:
https://tria.ge/reports/221005-k5la5seafj/
Behaviour
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Blocklisted process makes network request
WSHRAT
Malware Config
C2 Extraction:
http://rze6.sytes.net:4000
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec03e9f8-1281-41f4-bcae-a9d9803fe5ca
Unpacked files
SH256 hash:
debc265edc139a808e47d94ffe652d3db74c367821ad7cc8cb2d08314f9e55d6
MD5 hash:
1a35b2f0d962094ad0111b7346e8ba69
SHA1 hash:
6e6a66fcb1a999e5ccb76eeed50c44ba4a075845
Link:
https://www.unpac.me/results/4b83464b-5d41-40b2-89f2-edaa59bded11/
SH256 hash:
9f1babadd22df4128734d28afd970ff719db5ab0150a90e6bf1d37fdbe440a3f
MD5 hash:
4a7231bd701972f8bade599e865be486
SHA1 hash:
402e0ec64a5bd72f7241f5c6df41672d62d6e04f
Link:
https://www.unpac.me/results/4b83464b-5d41-40b2-89f2-edaa59bded11/
SH256 hash:
c512faa4840c22633e33fa04de7c23ff972c97147ce9599de5c9d2326f01a589
MD5 hash:
5a1c357efa9ac8762c9fe7a2e9a9fb60
SHA1 hash:
ba9b27dee76cfc6c66c8ed072c308bf55b883fa1
Link:
https://www.unpac.me/results/4b83464b-5d41-40b2-89f2-edaa59bded11/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c512faa4840c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c512faa4840c22633e33fa04de7c23ff972c97147ce9599de5c9d2326f01a589

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316776/

Comments