MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WSHRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03
SHA3-384 hash: 4266ca78925bf7d91d97655fcb7986404e9d3f4a93bb2efda8cb155e89fd22e63e16d000cee008af0f02f2b838608b65
SHA1 hash: 48d83b26a75a03a6ca067ff44d208cc1c47b7bd5
MD5 hash: 0dd05e9a74cdc3e174bec63b67cd86db
humanhash: arkansas-west-gee-mango
File name:0dd05e9a74cdc3e174bec63b67cd86db
Download: download sample
Signature WSHRAT
Create hunting rule
File size:891'599 bytes
First seen:2022-11-15 12:54:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 24576:XlZT3TaGspPse/LltOOr3C1zC+GGOG4emawVl9RK:VZHaGese/73H+GS4XawVrQ
Threatray 3'240 similar samples on MalwareBazaar
TLSH T13F153352AACD9C7BFA56BF3254411F32833FA807975A5C8A076411EA09B770FD3E908D
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe wshrat

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0dd05e9a74cdc3e174bec63b67cd86db
Verdict:
Malicious activity
Analysis date:
2022-11-15 12:54:46 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/8ed21915-7c69-4491-893e-0aa4b809b37d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334303/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% directory
Сreating synchronization primitives
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Enabling the 'hidden' option for recently created files
Searching for the window
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lokibot overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63738beb65b4ed3de8c855ae/reports/f473cf25-a64d-4706-bba7-0a934308ce56/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5df827d6-e11a-40cb-a106-52320143df19
Result
Threat name:
WSHRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1113781
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Windows Shell Script Host drops VBS files
Wscript called in batch mode (surpress errors)
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 746477 Sample: 99ObtLprOR.exe Startdate: 15/11/2022 Architecture: WINDOWS Score: 100 45 Sigma detected: Register Wscript In Run Key 2->45 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 9 other signatures 2->51 8 99ObtLprOR.exe 19 2->8         started        11 wscript.exe 2->11         started        14 wscript.exe 1 2->14         started        16 2 other processes 2->16 process3 file4 37 C:\Users\user\AppData\Local\Temp\ocymim.exe, PE32 8->37 dropped 18 ocymim.exe 8->18         started        61 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 11->61 63 Wscript called in batch mode (surpress errors) 11->63 21 wscript.exe 14->21         started        signatures5 process6 signatures7 53 Potential malicious VBS script found (suspicious strings) 18->53 55 Potential malicious VBS script found (has network functionality) 18->55 57 Potential evasive VBS script found (sleep loop) 18->57 59 2 other signatures 18->59 23 ocymim.exe 2 18->23         started        process8 file9 35 C:\Users\user\AppData\Roaming\wApVJ.vbs, assembler 23->35 dropped 26 wscript.exe 3 16 23->26         started        31 WerFault.exe 23 9 23->31         started        33 WerFault.exe 23->33         started        process10 dnsIp11 41 snkcyp.duckdns.org 194.180.48.65, 44147, 49714, 49715 LVLT-10753US Germany 26->41 43 ip-api.com 208.95.112.1, 49713, 80 TUT-ASUS United States 26->43 39 C:\Users\user\AppData\Roaming\...\wApVJ.vbs, assembler 26->39 dropped 65 System process connects to network (likely due to code injection or exploit) 26->65 67 Potential malicious VBS script found (suspicious strings) 26->67 69 Potential malicious VBS script found (has network functionality) 26->69 71 5 other signatures 26->71 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03/
Threat name:
Win32.Worm.Jenxcus
Create hunting rule
Status:
Malicious
First seen:
2022-11-15 12:55:11 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5522czlcpx4zn67cxybl3cr25tnljr2fnnm5qqa77yjhrwxbqbq._file
Verdict:
unknown
Similar samples:
0ef758cdcdaa95ecd6689cf13a719dd95def885bd1c5812295c2ed65d34b735d
WSHRAT
248f55d832f26a199f4b779d9c93dba1034bc3545157929f08a199b8e33bed6b
WSHRAT
3c3e0c2b6be336aa939ff9c0c9a040d1ef73ab6126e00f9d97f0995719b80229
WSHRAT
5b51a7e451c70c0271f21acf38747c5af235c18394585c4470f127c343b6ff8c
WSHRAT
68dc5714a90d2f0b2b91d22127aa518ce6667386b133777a0e36fac29d7a19af
WSHRAT
717fe0279624e6de4ab040bcf3eded22395688797352a822b53ba27f29a3e3cb
WSHRAT
81adbb94cf5758852ad9d3e7ba4d958b1943715c3837074c7fcaeeee22aadb7b
WSHRAT
ab3b2d262d28cb3b2fb07bb5c3692f09eafefe29057c4c35a3e62088f2d09bd1
WSHRAT
+ 3'230 additional samples on MalwareBazaar
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:wshrat persistence trojan
Link:
https://tria.ge/reports/221115-p47vzaea25/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
WSHRAT
WSHRAT payload
Malware Config
C2 Extraction:
http://snkcyp.duckdns.org:44147
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a522833d-fea3-46a8-a578-667846de87fc
Unpacked files
SH256 hash:
0b988a410ef45522a17a20f10c43b1fcd6313ffb4215df6801a5d731687e809a
MD5 hash:
09d29c4eac2154c87c37045ed8ddeb40
SHA1 hash:
da79591e7f2878328c55d803b5e6e2fc7215bc00
Link:
https://www.unpac.me/results/c647b476-ba51-4e6d-97d0-fa6b38863b15/
SH256 hash:
4b0f32178b931d0a9cc682a9fd161673d9b021a07fc5e87cc4388d9e84832e7f
MD5 hash:
762fa25a20464514c96a9820ada39dfc
SHA1 hash:
a9be799f7b3a4c5ebd2e23f3d721556c0591c273
Link:
https://www.unpac.me/results/c647b476-ba51-4e6d-97d0-fa6b38863b15/
SH256 hash:
58c2f45c86a0855f2a1ed8409532914dbec6f561dc0b606bd014178c81d1c6ad
MD5 hash:
fa9037616a426f7744821387040f37d4
SHA1 hash:
6b3d17b7a5328bcce09c160d0158bb9d2889c6c8
Link:
https://www.unpac.me/results/c647b476-ba51-4e6d-97d0-fa6b38863b15/
SH256 hash:
cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03
MD5 hash:
0dd05e9a74cdc3e174bec63b67cd86db
SHA1 hash:
48d83b26a75a03a6ca067ff44d208cc1c47b7bd5
Link:
https://www.unpac.me/results/c647b476-ba51-4e6d-97d0-fa6b38863b15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

WSHRAT

Executable exe cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2412791/
Cape
Cape
https://www.capesandbox.com/analysis/334303/

Comments


Avatar
zbet commented on 2022-11-15 12:54:07 UTC

url : hxxp://207.167.64.143/yuhuu.exe