Les dejo este RAT para vbs
lo probe y es lo mismo que el H-Worm.
Lo estan vendiendo por ahi
Se los dejo
Descarga directa
[Enlace externo eliminado para invitados]
Saludos
Contacto Skype: Rodrilanus
Gracias roda !! Abrazo che !
Pregunta lo analizaste ??
Hay un DNS: kingmummylive.com
conecta a la ip: 160.153.133.148
El file en general tiene strings interesantes, vere de poder profundizar mas, acabo de ver este post.

file:                            WSHRat.exe
md5:                            6a92d6ed9cafa2901371412f36783912

---------------------------------------------
No ports selected
\settings.dat
/c wmic csproduct get UUID
UUID
[Enlace externo eliminado para invitados] ( [Enlace externo eliminado para invitados] )
---------------------------------------------
WSH Rat v1.1
PictureBox1.Image
PictureBox1
Save File As
Form1
WSH Rat
[Enlace externo eliminado para invitados]
DoubleBuffered
process-explorer
log-browser
---------------------------------------------
keylogger
GetProperty
FileSystemProxy
RegistryProxy
{4c826102-4dc3-42d9-ab1c-ad1d20f51220}
{60e64ee9-707a-4916-a7d8-4132ff9e5830}
{eff5fec9-64f5-41b2-89c6-33884fcb6a30}
{f2d4cd41-9b92-420e-8ee9-6d32701cfa50}
{c318cb47-5ca2-4bf1-8364-a243a9584060}
{29610a3a-726d-4c83-a7f0-69716bf6e470}
{4f81f996-2f2f-4c20-b691-2e3420d6a570}
{9d651bc0-19b6-4d6d-828e-b34072504e70}
{3f1069d5-c632-43cf-94f6-223b313bbe80}
{d3d2f7f7-a793-4d31-b138-f6899b1b0790}
{5c168c61-73b7-4331-9598-269f09d37e90}
{e2fcf2bd-bdde-4bb9-9582-47919f3ca4a0}
{7fd826d1-aeb8-4d04-abc2-bb7b36b4d6a0}
{c1f355ce-59fd-4e3f-8ea9-983761af12b0}
{c72fb4df-544e-4dc2-8c84-cf9ecb2d84b0}
{49e9ca0a-d9e2-4e91-8a5f-af4fd525feb0}
{b55f4adf-d2df-4d17-a30c-1a3f09bebec0}
{1f2e54cc-cd8f-4b4a-b791-548bffdef2d0}
{121ae0e0-3ae0-44c6-a69e-346d2b0effd0}
{4e13d375-b88a-455d-95fb-e7b162ad7ff0}
{42b4ae9e-9781-4333-9ab3-c295a5f9ac01}
{e8f6758d-e786-4af5-aa9c-08ec6baae211}
{02b2598a-8469-4c03-947d-6a685b6aa621}
{0ee15f1c-2259-4c0b-94c0-7f7d03fc3821}
{6798cc83-569c-405f-920b-1166a4865f31}
{a878a5a5-7c67-47ee-88eb-0cd5f99c1141}
{b00abbe0-3919-470a-87df-1850a39c2c51}
---------------------------------------------
ToolStripDropDownItem
ToolStripItem
get_DisableUACToolStripMenuItem
set_DisableUACToolStripMenuItem
get_RemotePCToolStripMenuItem
set_RemotePCToolStripMenuItem
get_ExecuteRemoteCMDToolStripMenuItem
set_ExecuteRemoteCMDToolStripMenuItem
get_RecoverPasswordToolStripMenuItem
set_RecoverPasswordToolStripMenuItem
get_SurveilanceToolStripMenuItem
set_SurveilanceToolStripMenuItem
get_InternetExplorerEdgeToolStripMenuItem
set_InternetExplorerEdgeToolStripMenuItem
get_GoogleChromeToolStripMenuItem
set_GoogleChromeToolStripMenuItem
get_DownloadAndExecuteToolStripMenuItem
set_DownloadAndExecuteToolStripMenuItem
get_UploadAndExecuteToolStripMenuItem
set_UploadAndExecuteToolStripMenuItem
get_UninstallToolStripMenuItem
set_UninstallToolStripMenuItem
get_ToolToolStripMenuItem
set_ToolToolStripMenuItem
get_RemoteScreenToolStripMenuItem
---------------------------------------------
SHRAT
/is-ready
\Audio\notify.wav
/send-to-me
/open-keylogger
/open-rdp
/open-filebrowser
/is-processes
/is-logs
/update-status
/take-log
/chrome
GOOGLE CHROME BROWSER
==============================
\tmp.tmp
Action
User Name Field
Password Field
Created Time
Password Strength
Password File
skipped
/mozilla
MOZILLA FIREFOX BROWSER
==============================
Web Site
User Name
Password
Password Use
Password Change
INTERNET EXPLORER BROWSER
==============================
Type
Stored In
/mail
EMAIL CLIENTS
==============================
/is-cmd-shell
content-length:
content-length:
HTTP/1.1 200 OK
Content-Length:
Connection: close
Unknown
127.0.0.1
Local Country
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
[Enlace externo eliminado para invitados]
/json/
country
country_name
user-agent:
user-agent:
Leelawadee
[WSH] New Client Connected
lblPC
PC-NAME
lblIP
lblCountry
United States
Toast
New Connection
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
WSH Remote Access Tool
CompanyName
WSH Inc California
FileDescription
WSHRat
FileVersion
1.1.0.0
InternalName
WSHRat.exe
LegalCopyright
Copyright
  2019
OriginalFilename
WSHRat.exe
ProductName
WSHRat
ProductVersion
1.1.0.0
Assembly Version
1.1.0.0
Gracias Roda pero no encuentro la contraseña para descomprimirlo te comento que es la versión 1 el que estoy buscando el que subiste da igual que haga conexión. 
Responder

Volver a “Zona de Análisis”