wshrat | bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

Analysis

max time kernel
138s
max time network
152s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
12/07/2023, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Request For Quotation.js
Size

965KB
MD5

361ff80872705750749fc5c27006aba5
SHA1

d0e36f27aea4f6b17587f68d06f307e368d8443a
SHA256

bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8
SHA512

ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f
SSDEEP

6144:QQQ2zF22es2/0w7aMT3H2KqPLOSxgEDC4OlNnOm5trZ+DGArhisPGfLA5b0l2uvN:TfG

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 11 IoCs

flow	pid	Process
4	2064	wscript.exe
6	2064	wscript.exe
7	2064	wscript.exe
9	2064	wscript.exe
11	2064	wscript.exe
12	2064	wscript.exe
13	2064	wscript.exe
15	2064	wscript.exe
16	2064	wscript.exe
17	2064	wscript.exe
20	2064	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 7 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	WSHRAT\|2413F9E0\|NDNQFVMO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	15	WSHRAT\|2413F9E0\|NDNQFVMO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	6	WSHRAT\|2413F9E0\|NDNQFVMO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	7	WSHRAT\|2413F9E0\|NDNQFVMO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	9	WSHRAT\|2413F9E0\|NDNQFVMO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	11	WSHRAT\|2413F9E0\|NDNQFVMO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	12	WSHRAT\|2413F9E0\|NDNQFVMO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2064	2340	wscript.exe	28
PID 2340 wrote to memory of 2064	2340	wscript.exe	28
PID 2340 wrote to memory of 2064	2340	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
965KB

MD5
26ac080e4626508a2f8a682b09894178

SHA1
dc7af85ee1a6183188266ade5bed824024219d12

SHA256
c58faae17a8494a958a3b482796bfaa82ce5c725979413d52c53f0d2d1f8a2aa

SHA512
92c1ae45b27027d901ab5dfc0b945ba7e92e59a37e0350fc86e04bc9ee097fe89b88478fb78ed30b5364cc25a13873f3f8f5601d46b61aee1b2b5573710a7862

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
965KB

MD5
361ff80872705750749fc5c27006aba5

SHA1
d0e36f27aea4f6b17587f68d06f307e368d8443a

SHA256
bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

SHA512
ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Request For Quotation.js

Filesize
965KB

MD5
361ff80872705750749fc5c27006aba5

SHA1
d0e36f27aea4f6b17587f68d06f307e368d8443a

SHA256
bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

SHA512
ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

Download Submit