General

  • Target

    Request For Quotation.js

  • Size

    922KB

  • Sample

    230522-krm8kshh9s

  • MD5

    df16341b546c4513907c10ebe3e5baed

  • SHA1

    6a36f75cf6f766fe916479f293424bfeb5e22fd2

  • SHA256

    0f860c0525fc35fafd22e282bc67c688828db9b53b1fb372f8953a2be5fd6f06

  • SHA512

    e395866def96a00a6ba1d7481a84c5d078dede83c3f25d5a80b82e326f70c7033a184553b2046522aa2a68da8fb59efa28b708f292ad4c2881c552bc39d1adc2

  • SSDEEP

    6144:QQ2zjyhcHCrvrmbQXG9q8liIszutQEHQEBkxkN23pHC2vyLfSjHvPcY/4JGG3Yc2:TWXa0i

Score
10/10

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Targets

    • Target

      Request For Quotation.js

    • Size

      922KB

    • MD5

      df16341b546c4513907c10ebe3e5baed

    • SHA1

      6a36f75cf6f766fe916479f293424bfeb5e22fd2

    • SHA256

      0f860c0525fc35fafd22e282bc67c688828db9b53b1fb372f8953a2be5fd6f06

    • SHA512

      e395866def96a00a6ba1d7481a84c5d078dede83c3f25d5a80b82e326f70c7033a184553b2046522aa2a68da8fb59efa28b708f292ad4c2881c552bc39d1adc2

    • SSDEEP

      6144:QQ2zjyhcHCrvrmbQXG9q8liIszutQEHQEBkxkN23pHC2vyLfSjHvPcY/4JGG3Yc2:TWXa0i

    Score
    10/10
    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks