Overview

overview

10

Static

static

1

Request Fo...ion.js

windows7-x64

10

Request Fo...ion.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Request For Quotation.js

  • Size

    1.2MB

  • Sample

    230516-jzd47sbh65

  • MD5

    dca76785db3828884851b229738392e2

  • SHA1

    d7687fe5780970e04849d142f7889391be73ed99

  • SHA256

    1254fb84cd8e21d3c712881f606cd36e8d068ad89b205da335614696bfc59ca3

  • SHA512

    30399033982b81aea21cab8c44739b053bb603c8b516e01ce1a1c6396004fd998dd01798d184259151de5217df9afc2b85e5ef2fa9711e6ec31f66a44ef2ab9c

  • SSDEEP

    1536:QQ12UuLTs1CdS1nOsMokKleE73rnroY1YDEvMKfQXr6rsqTorsqTPs8Csn98uXOY:QQvo9S7xNJ0iIhQG9T

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Targets

    • Target

      Request For Quotation.js

    • Size

      1.2MB

    • MD5

      dca76785db3828884851b229738392e2

    • SHA1

      d7687fe5780970e04849d142f7889391be73ed99

    • SHA256

      1254fb84cd8e21d3c712881f606cd36e8d068ad89b205da335614696bfc59ca3

    • SHA512

      30399033982b81aea21cab8c44739b053bb603c8b516e01ce1a1c6396004fd998dd01798d184259151de5217df9afc2b85e5ef2fa9711e6ec31f66a44ef2ab9c

    • SSDEEP

      1536:QQ12UuLTs1CdS1nOsMokKleE73rnroY1YDEvMKfQXr6rsqTorsqTPs8Csn98uXOY:QQvo9S7xNJ0iIhQG9T

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks