MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddc089db76d5e0419e1f7d3777d2227df3a5cc4b55ea33f9616863cccad3c89f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WSHRAT

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	ddc089db76d5e0419e1f7d3777d2227df3a5cc4b55ea33f9616863cccad3c89f
SHA3-384 hash:	aaa934fa145aa613c84c0bbe167b0e6321f519597c40f9a1e6f49d591b20cdd439377b1f3dd665f18d07764542002fbc
SHA1 hash:	e3d09f5ef27ef522cee4f94c925ea9875b030a51
MD5 hash:	7e449a03a798e24db623efb8f14c243c
humanhash:	fourteen-delaware-one-uranus
File name:	bffc0d6b27477882ca2535a9ce229109
Download:	download sample
Signature	WSHRAT Create hunting rule
File size:	500'509 bytes
First seen:	2020-11-17 15:14:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	12288:t9MDwIn45hUqtX+t498bwkpLHoBvXZYTK:t+DwI+UqXkfIFXGTK
Threatray	124 similar samples on MalwareBazaar
TLSH	84B4F102F9D185B2E4220936556DAB40A8367C341F78DDDBB3F42A5DDA305E1AA34FB3
Reporter	seifreed
Tags:	wshrat

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Emotet-9790742-0

Win.Packed.Emotet-9790818-0

Win.Dropper.NetWire-9792487-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a file in the %AppData% directory

Creating a file

Using the Windows Management Instrumentation requests

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP GET request

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Creating a file in the mass storage device

Enabling autorun by creating a file

Enabling threat expansion on mass storage devices by creating a special LNK file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ddc089db76d5e0419e1f7d3777d2227df3a5cc4b55ea33f9616863cccad3c89f/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-11-17 15:22:34 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

wshrat

Score:

10/10

Tags:

family:wshrat persistence trojan

Link:

https://tria.ge/reports/201117-qc2daexvcj/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

JavaScript code in executable

Looks up external IP address via web service

Drops startup file

Loads dropped DLL

Blacklisted process makes network request

Executes dropped EXE

WSHRAT

WSHRAT Payload

Unpacked files

SH256 hash:

ddc089db76d5e0419e1f7d3777d2227df3a5cc4b55ea33f9616863cccad3c89f

MD5 hash:

7e449a03a798e24db623efb8f14c243c

SHA1 hash:

e3d09f5ef27ef522cee4f94c925ea9875b030a51

Link:

https://www.unpac.me/results/9b5a5a88-0b72-42aa-913b-a97e4acdedea/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample