wshrat | 15e847369c9a89eadb626ec7b3f058b17fce169dad5d0ad44edab3d7ec04f745

General

Target

Quotation_Request.js
Size

985KB
MD5

4aaba804e86dad56392b2a3dda056001
SHA1

d544b097a373d1357570a4385b7912457367da3c
SHA256

15e847369c9a89eadb626ec7b3f058b17fce169dad5d0ad44edab3d7ec04f745
SHA512

7423d168f25f948310295e27b9a950b8666c6cd44a6a7d0f5768cdf69aec53cb7d068aaf6c3caa0674aed94bbb66aeef8f53dc04107a601cfbabf76641ad412b
SSDEEP

6144:QQb9JgDg3ynDDKFCxCDwYjgegH0LGsJ2W1G32bi3/v0AbiBB8pt1vGWtkbIcJOyq:T7tm

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 17 IoCs

Processes:

wscript.exe

flow	pid	process
4	1632	wscript.exe
6	1632	wscript.exe
7	1632	wscript.exe
8	1632	wscript.exe
11	1632	wscript.exe
12	1632	wscript.exe
13	1632	wscript.exe
15	1632	wscript.exe
16	1632	wscript.exe
17	1632	wscript.exe
19	1632	wscript.exe
20	1632	wscript.exe
21	1632	wscript.exe
23	1632	wscript.exe
24	1632	wscript.exe
25	1632	wscript.exe
27	1632	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quotation_Request.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quotation_Request.js	wscript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
3	ip-api.com

Script User-Agent 16 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	27	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	7	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	11	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	12	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	16	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	17	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	20	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	13	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	15	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	23	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	6	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	8	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	21	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	24	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	19	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India
HTTP User-Agent header	25	WSHRAT\|7031BB36\|BPOQNXYB\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 30/5/2023\|JavaScript-v3.4\|IN:India

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1992 wrote to memory of 1632	1992	wscript.exe	wscript.exe
PID 1992 wrote to memory of 1632	1992	wscript.exe	wscript.exe
PID 1992 wrote to memory of 1632	1992	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Quotation_Request.js
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Quotation_Request.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quotation_Request.js
Filesize
704KB

MD5
546b6694622d75c06b6b0e42f4ee144d

SHA1
8adb6c3ac2d70fe0789b7f9ec2aafadf68198025

SHA256
abf1544fb6c3978efc53bd10aaf363cc71f1ad1c621f67db7104376dea28bb1c

SHA512
9a5348b0a1e775c9f72d5cf2a600806de69e9c97ba608d4add21c5358197a29fc85dca64acf0b758a2d44969e50f186ddcdc1bcd4f210f7e6c2d46016f7fcde2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quotation_Request.js
Filesize
985KB

MD5
4aaba804e86dad56392b2a3dda056001

SHA1
d544b097a373d1357570a4385b7912457367da3c

SHA256
15e847369c9a89eadb626ec7b3f058b17fce169dad5d0ad44edab3d7ec04f745

SHA512
7423d168f25f948310295e27b9a950b8666c6cd44a6a7d0f5768cdf69aec53cb7d068aaf6c3caa0674aed94bbb66aeef8f53dc04107a601cfbabf76641ad412b

Download Submit
C:\Users\Admin\AppData\Roaming\Quotation_Request.js
Filesize
985KB

MD5
4aaba804e86dad56392b2a3dda056001

SHA1
d544b097a373d1357570a4385b7912457367da3c

SHA256
15e847369c9a89eadb626ec7b3f058b17fce169dad5d0ad44edab3d7ec04f745

SHA512
7423d168f25f948310295e27b9a950b8666c6cd44a6a7d0f5768cdf69aec53cb7d068aaf6c3caa0674aed94bbb66aeef8f53dc04107a601cfbabf76641ad412b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads