wshrat | bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

General

Target

Request For Quotation.js
Size

965KB
MD5

361ff80872705750749fc5c27006aba5
SHA1

d0e36f27aea4f6b17587f68d06f307e368d8443a
SHA256

bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8
SHA512

ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f
SSDEEP

6144:QQQ2zF22es2/0w7aMT3H2KqPLOSxgEDC4OlNnOm5trZ+DGArhisPGfLA5b0l2uvN:TfG

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 16 IoCs

flow	pid	Process
8	3180	wscript.exe
10	3180	wscript.exe
31	3180	wscript.exe
33	3180	wscript.exe
39	3180	wscript.exe
50	3180	wscript.exe
63	3180	wscript.exe
64	3180	wscript.exe
67	3180	wscript.exe
68	3180	wscript.exe
72	3180	wscript.exe
74	3180	wscript.exe
75	3180	wscript.exe
76	3180	wscript.exe
77	3180	wscript.exe
81	3180	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 15 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	31	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	50	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	63	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	67	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	75	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	76	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	81	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	10	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	39	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	74	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	33	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	72	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	68	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	77	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	64	WSHRAT\|DAEBE96E\|MSXGLQPS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 12/7/2023\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 3180	2660	wscript.exe	85
PID 2660 wrote to memory of 3180	2660	wscript.exe	85

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
965KB

MD5
361ff80872705750749fc5c27006aba5

SHA1
d0e36f27aea4f6b17587f68d06f307e368d8443a

SHA256
bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

SHA512
ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
965KB

MD5
361ff80872705750749fc5c27006aba5

SHA1
d0e36f27aea4f6b17587f68d06f307e368d8443a

SHA256
bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

SHA512
ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Request For Quotation.js

Filesize
965KB

MD5
361ff80872705750749fc5c27006aba5

SHA1
d0e36f27aea4f6b17587f68d06f307e368d8443a

SHA256
bf2f0ecbbbd33ef1369595b5f7455e8777abeadd3b12571209a8f44c92628ee8

SHA512
ee33aa8a50b7f30925a44f22bfe7be6e686ce4fdeb49d9e258b0b5a3c16b94568723dfca53ba80bdc12be4a8ae3eee455a1322c75d094c886174d89052415b4f

Download Submit

Analysis

Sharing