Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
87
Global rank
99 infographic chevron month
Month rank
102 infographic chevron week
Week rank
0
IOCs

WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.

RAT
Type
likely Algerian
Origin
24 September, 2013
First seen
22 October, 2025
Last seen
Also known as
Dunihi
Houdini
H-worm
Jenxcus
Kognito

How to analyze Wshrat with ANY.RUN

RAT
Type
likely Algerian
Origin
24 September, 2013
First seen
22 October, 2025
Last seen

IOCs

IP addresses
67.205.154.243
2.59.254.111
Hashes
e0af88c9b1278d91a30f651ba3a0e77419c010de662dd6b5b86c1d8415093bc4
213d841404449d68dd9f50c18f7259074c43df2fd5221f0bbd34d2e89b611b73
7e160f885fe15d7f5b67e3d321c1bd8240a63bb80c8156f604829f0cbadba313
85dfef0c1b65ee9eb213ea830e0a78d471872e947e1924e90365d29cdeb64c10
33e78a25233a88b3ac6fd6fbe4b42b0e047a89736fd9b089628ab60b29c4dd9a
bed1028badee2ade8a8a8edd25aa4c3e70a6beefafbdffd6426e5e467f24eb01
0d81cab9f7ca5ac7c201c4917dfc7beee2ea6ea5fd9f0b23e7b088f084cda92c
f22a7dd6e64dafabcbc35cb9d56abc38392e228d7beef8ed2e71727099c31a80
3922ac9a1588e0d9d5946e71d95d065cc3cf64e776d792b105981e23220d096f
Domains
chongmei33.publicvm.com
rar.ydns.eu
chongmei33.myddns.rocks
molita30.ddns.net
mmekni1997.myq-see.com
harold.ns01.info
harold.jetos.com
gar373.ddns.net
harold.2waky.com
trabajovalle2023.duckdns.org
concideritdone.duckdns.org
files.ddrive.online
snkcyp.duckdns.org
0b3c.duckdns.org
snk2333.duckdns.org
URLs
http://learningc.publicvm.com:1809/is-ready
http://rk2013controler.no-ip.org:82/is-ready
http://94.156.71.108:1604/is-ready
http://chongmei33.publicvm.com:7045/is-ready
http://chongmei33.publicvm.com:7045/send-to-me%7CC:/Users/Acer/Desktop/adobe.js
http://sexycam.myq-see.com:1181/is-ready
http://mmekni1997.myq-see.com/is-ready
http://files.ddrive.online:3128/
http://concideritdone.duckdns.org:5001/
http://trabajovalle2023.duckdns.org:2032/
http://snkcyp.duckdns.org:3369/
http://0b3c.duckdns.org:1988/
http://gar373.ddns.net:3030/
http://harold.2waky.com:3609/
http://harold.2waky.com:1604/
http://2.59.254.111:2420/
http://harold.ns01.info:3609/
http://harold.ns01.info:1604/
http://snk2333.duckdns.org:47471/
http://67.205.154.243:53454/
Last Seen at
Last Seen at

Recent blog posts

post image
No Threats Left Behind: SOC Analyst’s Guide t...
watchers 235
comments 0
post image
Tykit Analysis: New Phishing Kit Stealing Hun...
watchers 4500
comments 0
post image
5 Ways Threat Intelligence Saves Businesses M...
watchers 894
comments 0

What is WSHRAT malware?

WSHRAT is a Remote Access Trojan — a type of malware that attackers use to gain remote control of machines and steal information. This particular RAT has seen several revisions, and depending on the version it’s also known as Dunihi, Houdini, H-worm, Jenxcus, and Kognito.

This RAT was first used in attacks against energy sector companies all around the world. With time, the malware became widely available and attackers used it in less coordinated attacks. The most recent version of WSHRAT changed target victims and now focuses on the banking sector.

The functionality of this RAT can vary by version, but they commonly include:

  • The ability to take screenshots.
  • The ability to modify files.
  • The ability to access email and web browser credentials.
  • The ability to manipulate and kill running system processes.

General description of WSHRAT malware

The malware surfaced for the first time in 2013 when it was known under the name H-worm. At the time, it was a RAT written in VBS (Visual Basic Script) programming language. Already, some samples featured code obfuscation and the malware packed with some advanced info-stealing functions.

The malware was developed by a user known in the underground community as Houdini. Houdini used to host a website, where people could learn about the capabilities of the RAT from an explanation video. Analysis of the content allowed researchers to conclude with a high degree of certainty, that Houdini is likely to be Algerian. This is mainly based on his fluent knowledge of French and Arabic languages.

It should be noted while analyzing the first samples of WSHRAT, researchers found out that it has similarities in command and control infrastructure with NjW0rm, njRat/LV, XtremeRAT, and PoisonIvy. These are all RATs operated by the njq8 cybergang. It is likely, that Houdini is collaborating with the gang, or he could even be a part of the njq8 syndicate.

The malware became relatively popular and VBS versions circulated in the wild for a while. In 2015, the author came out with an announcement of his plans to rewrite the malware in the Delphi programming language.

However, another version that researchers started investigating in 2016 still used VBS. This time, the RAT came in SFX files and exhibited new behavior. For example, it would launch a YouTube or open a browser URL as a decoy to hide its execution and infection happening in the background. Among others, the 2016 version of WSHRAT can be distinguished by its use of mixed binary and ASCII protocols over TCP.

The newest version of WSHRAT has popped up in 2019. This iteration of the malware targets the commercial banking sector. The RAT was completely rewritten in JavaScript from the original code of Visual basic. However, most aspects of the updated version remained identical to the older iterations. For example, it uses the same URL structure for C2 servers and exhibits similar behavior patterns.

This version is available to purchase for 50 USD and it is heavily marketed on the underground forums. In particular, the marketing campaign highlights such features of the RAT like WinXP-Win10 compatibility and a large number of information stealing and remote control functions.

Malware analysis of WSHRAT

The ANY.RUN malware hunting service provides a video, where researchers can see the execution process of WSHRAT or other RATs like njRAT or NanoCore.

Wshrat process graph

Figure 1: Shows the Wshrat graph of processes created by the ANY.RUN interactive malware analysis service.

WSHRAT execution process

Execution process of WSHRAT is straightforward — after the trojan makes its way into the system as a script file it either runs directly by wscript process or uses system processes such as powershell and regasm for persistence and defense evasion. After it gains persistence in the system, WSHRAT starts sending requests to the C2 server for further commands and fetches additional payloads such as its modules with different functionality.

Distribution of WSHRAT

Criminals commonly distribute WSHRAT with emails that contain infected attachments. There is evidence to believe that this RAT is used both in highly targeted attacks as well as in more broadly distributed email spam campaigns. Phishing is used to trick victims into installing the malware.

How to detect WSHRAT?

Sometimes valuable information about the malware family can be found in the network activity. Wshrat is not an exception. This malware sends HTTP requests to the Command & Control server using POST method and it names itself as a User-Agent. You can find details at "HTTP Requests" tab by clicking at "POST" method icon. In an opened window, take a look at the User-Agent and if it says WSHRAT, you know which malware family you are dealing with.

Wshrat request details

Conclusion

The danger of malware like WSH RAT lies not only in its robust feature set as a RAT but also in its morphing capability. Writing in VBS helped the attackers to push out an incredible number of versions. While security researchers were busy analyzing one sample, a new iteration could be released into the wild.

In cases like this, the ability to perform research fast is of crucial importance. This is especially true if we consider that certain samples of WSHRAT use code obfuscation and encryption that render static analysis ineffective. This means that a more complicated and time-consuming dynamic analysis is a must.

Thankfully, interactive analysis services like ANY.RUN help solve this problem. ANY.RUN allows launching samples in a secure, interactive online environment, where researchers can choose a variety of system parameters that influence the flow of execution. This vastly accelerates the research process and the results are presented in real-time.

HAVE A LOOK AT

Qilin Ransomware screenshot
Qilin ransomware (predecessor known as “Agenda”) is a rapidly evolving ransomware-as-a-service (RaaS) operation targeting organizations worldwide. Known for double extortion tactics (encrypting files while also threatening to leak stolen data) Qilin has quickly gained notoriety for its customization, flexibility, and impact on critical infrastructure.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
Stealer screenshot
Stealer
stealer
Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.
Read More
INC Ransomware screenshot
INC Ransomware is a ransomware-as-a-service (RaaS) spotted in mid-2023. It targets industries like retail, real estate, finance, healthcare, and education, primarily in the U.S. and UK. It encrypts and exfiltrates data demanding a ransom. It employs advanced evasion techniques, destroys backup, and abuses legitimate system tools at all the stages of the kill chain.
Read More
NetSupport RAT screenshot
NetSupport RAT
netsupport
NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More