MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WSHRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a
SHA3-384 hash: 5c3297a90eff63472054a1238bdb912d5cb43fbadbebde47b1ade610d8cf546b97db0f3b985785ba7d948f0e0432795a
SHA1 hash: ecce6c06db49fdc351df121f8a416f8572086df1
MD5 hash: 1451ed9b5629e22afbde901d932f4bfc
humanhash: delta-bacon-lamp-xray
File name:1451ed9b5629e22afbde901d932f4bfc.exe
Download: download sample
Signature WSHRAT
Create hunting rule
File size:1'445'376 bytes
First seen:2022-09-27 06:12:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f462fcc6b830b77fb3fef2add9dc570 (9 x CoinMiner, 3 x BitRAT, 2 x XWorm)
ssdeep 24576:9Ux3pCeQifiWVpXVE/aWumZxv/yE8gLfdryuZepwHOglrSrorrfQ8:6hpDf6WTXS/gmZ1KrgL1NNHOglrSrorV
Threatray 2'911 similar samples on MalwareBazaar
TLSH T12265F1F38B916B4C86CF877AF9F75000B7AA1371ADA58757E66C0C8CCD4412A26D3A70
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe wshrat

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313826/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.48777.16720.4034.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
DNS request
Sending a custom TCP request
Changing a file
Enabling the 'hidden' option for recently created files
Creating a file
Searching for the window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39408/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633294729cd210adb55ca427/reports/a3770b5a-f5ba-47c4-97f3-72e5e6a95fc2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d386176a-dee3-41e1-bb94-275bba3bddc5
Result
Threat name:
RedLine, WSHRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078042
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Drops script or batch files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes registry values via WMI
Wscript called in batch mode (surpress errors)
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 710592 Sample: sh57Setq07.exe Startdate: 27/09/2022 Architecture: WINDOWS Score: 100 59 sheet.duckdns.org 2->59 75 Sigma detected: Register Wscript In Run Key 2->75 77 Snort IDS alert for network traffic 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 14 other signatures 2->81 9 sh57Setq07.exe 10 6 2->9         started        12 notepad.exe 2->12         started        15 wscript.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 file5 49 C:\Users\user\AppData\Local\Temp\build.exe, PE32 9->49 dropped 51 C:\Users\user\AppData\Local\Temp\JUYBRB.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\Local\Temp\Client.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\Temp\sheet.js, ASCII 9->55 dropped 19 wscript.exe 1 9->19         started        22 JUYBRB.exe 2 3 9->22         started        26 Client.exe 2 9->26         started        28 2 other processes 9->28 101 Antivirus detection for dropped file 12->101 103 Multi AV Scanner detection for dropped file 12->103 signatures6 process7 dnsIp8 83 System process connects to network (likely due to code injection or exploit) 19->83 85 May check the online IP address of the machine 19->85 87 Drops script or batch files to the startup folder 19->87 99 4 other signatures 19->99 30 wscript.exe 3 16 19->30         started        61 sheet.duckdns.org 22->61 45 C:\Users\user\AppData\Roaming\...\notepad.exe, PE32 22->45 dropped 47 C:\Users\user\AppData\Local\Temp\LZTIXH.vbs, ASCII 22->47 dropped 89 Antivirus detection for dropped file 22->89 91 Multi AV Scanner detection for dropped file 22->91 93 Creates multiple autostart registry keys 22->93 35 cmd.exe 22->35         started        37 wscript.exe 22->37         started        63 sheet.duckdns.org 26->63 95 Machine Learning detection for dropped file 26->95 97 Queries memory information (via WMI often done to detect virtual machines) 26->97 39 conhost.exe 28->39         started        file9 signatures10 process11 dnsIp12 65 sheet.duckdns.org 159.223.57.212, 4110, 49721, 49723 CELANESE-US United States 30->65 67 ip-api.com 208.95.112.1, 49720, 80 TUT-ASUS United States 30->67 57 C:\Users\user\AppData\Roaming\...\sheet.js, ASCII 30->57 dropped 69 System process connects to network (likely due to code injection or exploit) 30->69 71 Creates multiple autostart registry keys 30->71 73 Uses schtasks.exe or at.exe to add and modify task schedules 35->73 41 conhost.exe 35->41         started        43 schtasks.exe 35->43         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a/
Threat name:
Win32.Trojan.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 08:35:30 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxexsuvr3t2ijrpkp2jera3xn5qkhy2uymbi2tr4vcarfrexyvva._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
1702558a8ae1cda0af628944914cf12a6dc360092b67395779e90450dd1bf64d
WSHRAT
1f06e9fbca301c8973f846320f64cd64e09a55a178add77b72d893cb781bc80c
WSHRAT
37e5285ef075235abeed2a5bfbf0398cd49945e77842a8e45fba2e4dcf0c819e
WSHRAT
78d88a6ac29625636a7433e358459a8cdfb837c853f6a149ceea102e707997f3
WSHRAT
967357369e28e674971587037a5d24378a41b3e074ac20d24544d1703cccfee0
WSHRAT
9678ca06068b705da310aa2f76713d2d59905b12b67097364160857cd1f90c58
WSHRAT
cd6a8e6b17a1ecb5aafb24ef4f7ec0ba0be44508ea10dbde551e0037220571f8
WSHRAT
+ 2'901 additional samples on MalwareBazaar
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:wshrat botnet:explorer infostealer persistence trojan
Link:
https://tria.ge/reports/220927-gyrb2acga2/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
AutoIT Executable
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
RedLine
RedLine payload
WSHRAT
WSHRAT payload
Malware Config
C2 Extraction:
159.223.57.212:8294
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/508e7902-0873-4e58-bb83-6202144672e7
Unpacked files
SH256 hash:
c0598bc45712d080bfa009710ebf5690670a7c0ec734f49edb5c60e8474bcce0
MD5 hash:
587b8de1e0f5bcca1fda900699729ad1
SHA1 hash:
8dbafeb0964ac44cdf61b603dcebdb1fb599592d
Link:
https://www.unpac.me/results/ad3800ca-a9e8-4d3b-9fcb-d5f3d0940fc5/
SH256 hash:
76fc5de571f9a7fd4c665fdf7b3ecd72153fbbed05752152cce58ee8dccaa794
MD5 hash:
dc53c9d0858c68c9e4ed6ed8e7c9d0c8
SHA1 hash:
a57304e4a03c60c82469bac41d3bf964fac42eb4
Link:
https://www.unpac.me/results/ad3800ca-a9e8-4d3b-9fcb-d5f3d0940fc5/
SH256 hash:
b243270e308d533c62e4909ae1205eb3f38d8bd60fe5a3de9945b8e6a7e07f58
MD5 hash:
ef85556dba997801a26947dd25139bed
SHA1 hash:
14079e54460c5782d5be270f5197e56d78cd5155
Link:
https://www.unpac.me/results/ad3800ca-a9e8-4d3b-9fcb-d5f3d0940fc5/
SH256 hash:
cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a
MD5 hash:
1451ed9b5629e22afbde901d932f4bfc
SHA1 hash:
ecce6c06db49fdc351df121f8a416f8572086df1
Link:
https://www.unpac.me/results/ad3800ca-a9e8-4d3b-9fcb-d5f3d0940fc5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

WSHRAT

Executable exe cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2313968/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/313826/

Comments