Overview

overview

10

Static

static

1

Request Fo...ion.js

windows7-x64

10

Request Fo...ion.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Request For Quotation.js

  • Size

    941KB

  • Sample

    230714-pgmaraed9w

  • MD5

    8b3ad681d5649f4c1955096bc04bfe18

  • SHA1

    09ef01f730ceef26760567522dfe3e87f59afc8a

  • SHA256

    31c2e51efcbff0aa489aa6af1a48cf78f6a9febfb449a19d029f8cc8ebb4495f

  • SHA512

    20ec006e32344b25757c5e67ff5b0a2f6880cf4d991b9d9e32bf3c4a42e4f849ce7abc30a5e8b006e024861c4ee2628a5958ba9a82a7e057acbd6b9b5dced2ab

  • SSDEEP

    6144:QQ9uAGLJjAtJ5uRtO+I5rHjqOcT8cZ3JijlE2LN00moJpVMqZ76SVLY6QT4AFe0V:TG

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Targets

    • Target

      Request For Quotation.js

    • Size

      941KB

    • MD5

      8b3ad681d5649f4c1955096bc04bfe18

    • SHA1

      09ef01f730ceef26760567522dfe3e87f59afc8a

    • SHA256

      31c2e51efcbff0aa489aa6af1a48cf78f6a9febfb449a19d029f8cc8ebb4495f

    • SHA512

      20ec006e32344b25757c5e67ff5b0a2f6880cf4d991b9d9e32bf3c4a42e4f849ce7abc30a5e8b006e024861c4ee2628a5958ba9a82a7e057acbd6b9b5dced2ab

    • SSDEEP

      6144:QQ9uAGLJjAtJ5uRtO+I5rHjqOcT8cZ3JijlE2LN00moJpVMqZ76SVLY6QT4AFe0V:TG

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks