wshrat | bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

General

Target

Request For Quotation.js
Size

965KB
MD5

361ff80872705750749fc5c27006aba5
SHA1

d0e36f27aea4f6b17587f68d06f307e368d8443a
SHA256

bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8
SHA512

ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f
SSDEEP

6144:QQQ2zF22es2/0w7aMT3H2KqPLOSxgEDC4OlNnOm5trZ+DGArhisPGfLA5b0l2uvN:TfG

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 17 IoCs

flow	pid	Process
12	3888	wscript.exe
16	3888	wscript.exe
26	3888	wscript.exe
32	3888	wscript.exe
35	3888	wscript.exe
36	3888	wscript.exe
46	3888	wscript.exe
47	3888	wscript.exe
48	3888	wscript.exe
51	3888	wscript.exe
55	3888	wscript.exe
58	3888	wscript.exe
61	3888	wscript.exe
75	3888	wscript.exe
76	3888	wscript.exe
77	3888	wscript.exe
81	3888	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 16 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	26	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	46	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	36	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	51	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	55	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	58	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	16	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	48	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	61	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	81	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	32	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	35	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	47	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	75	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	76	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	77	WSHRAT\|3E9A1168\|MNHMTTDP\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 3888	4352	wscript.exe	86
PID 4352 wrote to memory of 3888	4352	wscript.exe	86

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
965KB

MD5
361ff80872705750749fc5c27006aba5

SHA1
d0e36f27aea4f6b17587f68d06f307e368d8443a

SHA256
bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

SHA512
ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
965KB

MD5
361ff80872705750749fc5c27006aba5

SHA1
d0e36f27aea4f6b17587f68d06f307e368d8443a

SHA256
bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

SHA512
ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Request For Quotation.js

Filesize
965KB

MD5
361ff80872705750749fc5c27006aba5

SHA1
d0e36f27aea4f6b17587f68d06f307e368d8443a

SHA256
bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

SHA512
ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

Download Submit

Analysis

Sharing