MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb0a09ef2540b7dfc9e6f5e17deffb65337c41429b3d2753653aad92e6df8d16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WSHRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb0a09ef2540b7dfc9e6f5e17deffb65337c41429b3d2753653aad92e6df8d16
SHA3-384 hash: 3442d156bcf9c2d4ba757d2c083ad794c1861795968fa0619a68033d2114efc23960b3202d7b4de7ebf018b120b642aa
SHA1 hash: 865b0d1ecaed2166b001b2b000e8bd9823e325ec
MD5 hash: 3a5de50727f1730d8ef5aad8da61f081
humanhash: bravo-earth-north-seven
File name:IMG-NEW-PO-LIST-993837665598576.exe
Download: download sample
Signature WSHRAT
Create hunting rule
File size:1'582'096 bytes
First seen:2022-11-16 08:40:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:tAOcZq1aY4HAXmxYl+Gq25aAmtUfnXdH22jLzCXPQMTjbnNSp7x:XR06OY3+UcwCXYMTnNSp7x
Threatray 2'249 similar samples on MalwareBazaar
TLSH T191752242F7C5C5B2D1332A32D936A628BABD2D205F34A50FA7D47879DF321905225FA3
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 017664325adacec0 (1 x WSHRAT)
Reporter abuse_ch
Tags:exe RAT wshrat


Avatar
abuse_ch
WSHRAT C2:
http://newmoney2033.duckdns.org:5000/is-ready

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
wshrat
Create hunting rule
ID:
1
File name:
IMG-NEW-PO-LIST-993837665598576.exe
Verdict:
Malicious activity
Analysis date:
2022-11-16 08:42:14 UTC
Tags:
evasion trojan wshrat
Link:
https://app.any.run/tasks/c754d5e9-79f2-46be-a58b-6ac843bd8fa9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334701/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6374a21f3024da3911e82700/reports/1a547c63-b1b1-408f-9959-8ba2b703eb13/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f212eafc-7d1e-4fba-b422-35a2aed6e202
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1114638
Signature
Antivirus detection for dropped file
Disables the Windows task manager (taskmgr)
Found API chain indicative of sandbox detection
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 747334 Sample: IMG-NEW-PO-LIST-99383766559... Startdate: 16/11/2022 Architecture: WINDOWS Score: 64 39 Yara detected AntiVM autoit script 2->39 11 IMG-NEW-PO-LIST-993837665598576.exe 3 75 2->11         started        14 jbdg.exe 1 1 2->14         started        16 jbdg.exe 2->16         started        18 jbdg.exe 2->18         started        process3 file4 37 C:\Users\user\AppData\Local\Temp\...\jbdg.exe, PE32 11->37 dropped 20 wscript.exe 1 11->20         started        22 wscript.exe 14->22         started        process5 process6 24 jbdg.exe 2 4 20->24         started        27 jbdg.exe 22->27         started        signatures7 41 Antivirus detection for dropped file 24->41 43 Found API chain indicative of sandbox detection 24->43 45 Disables the Windows task manager (taskmgr) 24->45 29 wscript.exe 1 24->29         started        process8 process9 31 jbdg.exe 1 29->31         started        process10 33 wscript.exe 31->33         started        process11 35 jbdg.exe 33->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb0a09ef2540b7dfc9e6f5e17deffb65337c41429b3d2753653aad92e6df8d16/
Threat name:
Win32.Trojan.Liusky
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 08:41:27 UTC
File Type:
PE (Exe)
Extracted files:
102
AV detection:
11 of 40 (27.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7mfat3zfic357spg6xqx3373muzxyqkctm6sou3fhkwzfzw7rula._file
Verdict:
malicious
Similar samples:
4ae67a52de5f2bcaea6c9158b4b2dfd3b2953885c34063547b736a4a1096fcb2
WSHRAT
623d9a74747fe5ff5e72eb70d6ba2d2906eab55b5db50d796728e6d7ab492c79
WSHRAT
d3d3c216728f58044cae30180c84e75db170ea200860ae9415004f3a0f167ec3
WSHRAT
d5edadd969395a3c5fd2a2cf9832684b11680480b5ca75b464988cff244a6d6d
WSHRAT
dc6132f9c63cd966c76790f0761299f92c31684197e40a949c4e1eb9a539bfc8
WSHRAT
e15347eeeba6fb5f12440c9c2720d8055747cd973fde267d7e159f40efa62ab5
WSHRAT
e806601047d5a080ababc1274c39cd1916583124166b985ca65b08f0a0e6feea
WSHRAT
+ 2'239 additional samples on MalwareBazaar
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:wshrat evasion persistence trojan
Link:
https://tria.ge/reports/221116-klfasadg3v/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Disables Task Manager via registry modification
Executes dropped EXE
WSHRAT
WSHRAT payload
Malware Config
C2 Extraction:
http://newmoney2033.duckdns.org:5000
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e2ef6e34-6dee-41f1-9f0b-3cf62beb3a3e
Unpacked files
SH256 hash:
98ea6b181caa7c0827924af8fc54ce39641996a9944c7a05a0441dfe2baa3247
MD5 hash:
8af37dcc5e39d28a2c448519a3ae41e3
SHA1 hash:
d178f7f171110bf835c40e7ae39afa62568c82e7
Link:
https://www.unpac.me/results/d3ce2f38-15ab-4d15-a990-26935bfb495f/
SH256 hash:
10f7314e83767919250cb7407bc407875a863d5d586c2e48e86d54715b083f1f
MD5 hash:
9703497b807db9e9e71685e08ae1c73f
SHA1 hash:
f42d15a587acc74cb244d4de15da8fd814b5adc8
Link:
https://www.unpac.me/results/d3ce2f38-15ab-4d15-a990-26935bfb495f/
SH256 hash:
fb0a09ef2540b7dfc9e6f5e17deffb65337c41429b3d2753653aad92e6df8d16
MD5 hash:
3a5de50727f1730d8ef5aad8da61f081
SHA1 hash:
865b0d1ecaed2166b001b2b000e8bd9823e325ec
Link:
https://www.unpac.me/results/d3ce2f38-15ab-4d15-a990-26935bfb495f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb0a09ef2540/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb0a09ef2540b7dfc9e6f5e17deffb65337c41429b3d2753653aad92e6df8d16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/334701/

Comments