{
	"id": "b29df980-4daf-4374-b589-a7984dfb6915",
	"created_at": "2026-04-06T00:19:31.06907Z",
	"updated_at": "2026-04-10T03:22:08.711796Z",
	"deleted_at": null,
	"sha1_hash": "e4d1d72ef658dae07dd485e8ea9683bc10c19007",
	"title": "IoCs/Broadbased/wsh_rat.md at master · jeFF0Falltrades/IoCs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48988,
	"plain_text": "IoCs/Broadbased/wsh_rat.md at master · jeFF0Falltrades/IoCs\r\nBy jeFF0Falltrades\r\nArchived: 2026-04-05 22:02:31 UTC\r\nWSH RAT (A variant of H-Worm/Houdini)\r\nReporting\r\nhttps://cofense.com/houdini-worm-transformed-new-phishing-attack\r\nYARA\r\nrule wsh_rat_vbs_decoded\r\n{\r\nmeta:\r\nauthor = \"jeFF0Falltrades\"\r\nref = \"https://cofense.com/houdini-worm-transformed-new-phishing-attack\"\r\ndescription = \"Alerts on the decoded WSH RAT VBScript\"\r\nstrings:\r\n$str_0 = \"wshsdk\" wide ascii nocase\r\n$str_1 = \"wshlogs\" wide ascii nocase\r\n$str_2 = \"WSHRAT\" wide ascii nocase\r\n$str_3 = \"WSH Sdk for password recovery\" wide ascii nocase\r\n$str_4 = \"wshlogs\\\\recovered_password_email.log\" wide ascii nocase\r\n$str_5 = \"post (\\\"is-ready\\\",\\\"\\\")\" wide ascii nocase\r\n$str_6 = \"split (response,spliter)\" wide ascii nocase\r\n$str_7 = \"updatestatus(\\\"SDK+Already+Installed\\\")\" wide ascii nocase\r\n$str_8 = \"case \\\"get-pass-offline\\\"\" wide ascii nocase\r\n$str_9 = \"case \\\"up-n-exec\\\"\" wide ascii nocase\r\n$str_10 = \"Unable to automatically recover password\" wide ascii nocase\r\n$str_11 = \"reverseproxy\" wide ascii nocase\r\n$str_12 = \"keyloggerstarter\" wide ascii nocase\r\ncondition:\r\n3 of ($str*)\r\n}\r\nrule wsh_rat_keylogger\r\n{\r\nmeta:\r\nauthor = \"jeFF0Falltrades\"\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md\r\nPage 1 of 3\n\nref = \"https://cofense.com/houdini-worm-transformed-new-phishing-attack\"\r\ndescription = \"Alerts on the WSH RAT .NET keylogger module\"\r\nstrings:\r\n$str_0 = \"Keylogger\" wide ascii nocase\r\n$str_1 = \"RunKeyloggerOffline\" wide ascii nocase\r\n$str_2 = \"saveKeyLog\" wide ascii nocase\r\n$str_3 = \"sendKeyLog\" wide ascii nocase\r\n$str_4 = \"/open-keylogger\" wide ascii nocase\r\n$str_5 = \"wshlogs\" wide ascii nocase\r\n$str_6 = \"WSHRat Plugin\" wide ascii nocase\r\n$str_7 = \"Debug\\\\Keylogger.pdb\" wide ascii nocase\r\ncondition:\r\n3 of them\r\n}\r\nrule wsh_rat_rdp\r\n{\r\nmeta:\r\nauthor = \"jeFF0Falltrades\"\r\nref = \"https://cofense.com/houdini-worm-transformed-new-phishing-attack\"\r\ndescription = \"Alerts on the WSH RAT .NET RDP module\"\r\nstrings:\r\n$str_0 = \"GET /open-rdp|\" wide ascii nocase\r\n$str_1 = \"WSHRat Plugin\" wide ascii nocase\r\n$str_2 = \"Debug\\\\RDP.pdb\" wide ascii nocase\r\n$str_3 = \"TakeShoot\" wide ascii nocase\r\n$str_4 = \"CompressJPEG\" wide ascii nocase\r\ncondition:\r\n3 of them\r\n}\r\nrule wsh_rat_reverse_proxy\r\n{\r\nmeta:\r\nauthor = \"jeFF0Falltrades\"\r\nref = \"https://cofense.com/houdini-worm-transformed-new-phishing-attack\"\r\ndescription = \"Alerts on the WSH RAT .NET reverse proxy module\"\r\nstrings:\r\n$str_0 = \"RProxy:\" wide ascii nocase\r\n$str_1 = \"WSH Inc\" wide ascii nocase\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md\r\nPage 2 of 3\n\n$str_2 = \"WSH Reverse Proxy\" wide ascii nocase\r\n$str_3 = \"Debug\\\\ReverseProxy.pdb\" wide ascii nocase\r\n$str_4 = \"WshRP\" wide ascii nocase\r\n$str_5 = \"NotifyBringNewSocket\" wide ascii nocase\r\ncondition:\r\n3 of them\r\n}\r\nSample Hashes\r\nDecoded VBS Script\r\n956fb59036b01ebf0fb3a6345eafa2c4aed8dcbad8db63d5c9f3188ceb32bd17\r\n023938e5f920989b356a897349137a70bf519c72f36219cb147525a650ef7ae4\r\nKeylogger Module\r\n272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a\r\nRDP Module\r\nd65a3033e440575a7d32f4399176e0cdb1b7e4efa108452fcdde658e90722653\r\nSource: https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md"
	],
	"report_names": [
		"wsh_rat.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434771,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4d1d72ef658dae07dd485e8ea9683bc10c19007.pdf",
		"text": "https://archive.orkl.eu/e4d1d72ef658dae07dd485e8ea9683bc10c19007.txt",
		"img": "https://archive.orkl.eu/e4d1d72ef658dae07dd485e8ea9683bc10c19007.jpg"
	}
}