Videos

Published on December 23rd, 2019 📆 | 5385 Views ⚑

0

Malware Analysis | WSHRAT Visual Basic RAT (C2 Replication)


https://www.ispeech.org/text.to.speech


========= LINKS =========
Twitter: https://twitter.com/kindredsec
Patreon: https://www.patreon.com/kindredsec
Twitch: https://www.twitch.tv/kindredsec
Discord: https://discord.gg/CCZCJCu
GitHub: https://github.com/itsKindred

Link to sample: https://github.com/itsKindred/malware-samples/blob/master/vbs/wshrat.vbs

========= DESCRIPTION=========
In this video, we look at a fully VBS-implemented Remote Access Trojan (RAT) commonly called WSHRAT. The RAT contains a bunch of built in capabilities such as a cmd shell, a keylogger and a log collector. To investigate some of the simpler capabilities, we dive into the source code to reverse engineering the communication scheme, then write out own make shift C2 server to communicate with the implant. Once that's done, we perform some light dynamic analysis to take a look at file system and registry activity.

========= TIMESTAMPS =========
00:00:00 - Introduction
00:00:58 - Initial look at code
00:03:17 - Looking at primary function
00:07:00 - Peeking at password stealing functionality
00:07:55 - Peeking at CMD Shell functionality
00:09:15 - Peeking at binary-dependent functions
00:16:23 - Digging into core network comms
00:20:50 - Running the implant and looking at initial traffic
00:25:37 - Starting to write python C2 Server script
00:31:51 - Implementing get-processes functionality
00:39:07 - Adding some flexibility to our script
00:42:46 - Implementing cmd-shell functionality
00:48:30 - Wrapping up Python C2 Server
00:49:50 - Start of dynamic analysis
00:54:30 - Wrapping things up





========= HASHES =========
1fce57032f89b0d8c731ad9fd4a91ea6 wshrat.vbs

 ========= DISCLAIMERS =========
DISCLAIMER 1: This is for learning purposes only. Please do not utilize or distribute the malware samples share in this video.
DISCLAIMER 2: Please do not mess with, interact, or abuse any of the IPs, names, or identifiable information found in this video. I do not claim responsibility for any malicious activity targeting any of the systems or addresses found in this video.

video, sharing, camera phone, video phone, free, upload
2019-12-23 20:57:37

source

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑