wshrat | bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

General

Target

Request For Quotation.js
Size

965KB
MD5

361ff80872705750749fc5c27006aba5
SHA1

d0e36f27aea4f6b17587f68d06f307e368d8443a
SHA256

bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8
SHA512

ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f
SSDEEP

6144:QQQ2zF22es2/0w7aMT3H2KqPLOSxgEDC4OlNnOm5trZ+DGArhisPGfLA5b0l2uvN:TfG

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 18 IoCs

flow	pid	Process
10	3812	wscript.exe
16	3812	wscript.exe
32	3812	wscript.exe
39	3812	wscript.exe
52	3812	wscript.exe
67	3812	wscript.exe
68	3812	wscript.exe
76	3812	wscript.exe
78	3812	wscript.exe
79	3812	wscript.exe
80	3812	wscript.exe
81	3812	wscript.exe
82	3812	wscript.exe
83	3812	wscript.exe
84	3812	wscript.exe
89	3812	wscript.exe
90	3812	wscript.exe
91	3812	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 17 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	89	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	67	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	68	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	79	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	81	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	16	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	83	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	84	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	39	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	82	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	90	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	80	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	91	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	32	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	52	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	76	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	78	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3812	2884	wscript.exe	86
PID 2884 wrote to memory of 3812	2884	wscript.exe	86

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
965KB

MD5
361ff80872705750749fc5c27006aba5

SHA1
d0e36f27aea4f6b17587f68d06f307e368d8443a

SHA256
bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

SHA512
ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
965KB

MD5
361ff80872705750749fc5c27006aba5

SHA1
d0e36f27aea4f6b17587f68d06f307e368d8443a

SHA256
bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

SHA512
ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Request For Quotation.js

Filesize
965KB

MD5
361ff80872705750749fc5c27006aba5

SHA1
d0e36f27aea4f6b17587f68d06f307e368d8443a

SHA256
bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

SHA512
ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

Download Submit

Analysis

Sharing