wshrat | 5dbf39f65d41bae9a5762be44f9f1815bb76c2caabb63d1b2be274bcba2e63c7

General

Target

Request For Quotation.js
Size

973KB
MD5

fc71c87b2465e63c5205674f9aeb730a
SHA1

2854cf5945ab636c2b78d68d1caffffedf4f0827
SHA256

5dbf39f65d41bae9a5762be44f9f1815bb76c2caabb63d1b2be274bcba2e63c7
SHA512

9edfb762447dc9dc78140a632f5aa884b96112747284fb9f3275e5b960d2585fc7418672cab464ef5cd09a9f3beb9a9efb7da19f41db6b0d082e7e4dce8ee0f7
SSDEEP

6144:QQ1Umw4NGuO/GyTSVddI5qh+7StXtwTx+PrL0Srx7mnDtEKD2uEF2oEA5iUVyFWT:Tn15/

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 15 IoCs

flow	pid	Process
4	2452	wscript.exe
6	2452	wscript.exe
8	2452	wscript.exe
9	2452	wscript.exe
11	2452	wscript.exe
12	2452	wscript.exe
13	2452	wscript.exe
14	2452	wscript.exe
16	2452	wscript.exe
17	2452	wscript.exe
18	2452	wscript.exe
20	2452	wscript.exe
21	2452	wscript.exe
22	2452	wscript.exe
23	2452	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	21	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	22	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	23	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	8	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	9	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	11	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	12	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	14	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	17	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	18	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	6	WSHRAT\|0C17B774\|YKQDESCX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 18/7/2023\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2452	2560	wscript.exe	29
PID 2560 wrote to memory of 2452	2560	wscript.exe	29
PID 2560 wrote to memory of 2452	2560	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
973KB

MD5
9db49fb17f2918393110fbfb7b39a750

SHA1
caa2efc133781d259a3d37226d1ec60ae82f7ee6

SHA256
6aead16b501d8cdc98e23bb95d2a0794428c9c94be34e4fe8b2dad8fb070d93c

SHA512
a6332d4bd07046f1f19ffacf0017f88b9f03a1eba1d14b38d8b1d7add665f181e9bacadf3ea7ce602d53512912776d2ddcbc02ae985d3bb64de84047a8cbd63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
973KB

MD5
fc71c87b2465e63c5205674f9aeb730a

SHA1
2854cf5945ab636c2b78d68d1caffffedf4f0827

SHA256
5dbf39f65d41bae9a5762be44f9f1815bb76c2caabb63d1b2be274bcba2e63c7

SHA512
9edfb762447dc9dc78140a632f5aa884b96112747284fb9f3275e5b960d2585fc7418672cab464ef5cd09a9f3beb9a9efb7da19f41db6b0d082e7e4dce8ee0f7

Download Submit
C:\Users\Admin\AppData\Roaming\Request For Quotation.js

Filesize
973KB

MD5
fc71c87b2465e63c5205674f9aeb730a

SHA1
2854cf5945ab636c2b78d68d1caffffedf4f0827

SHA256
5dbf39f65d41bae9a5762be44f9f1815bb76c2caabb63d1b2be274bcba2e63c7

SHA512
9edfb762447dc9dc78140a632f5aa884b96112747284fb9f3275e5b960d2585fc7418672cab464ef5cd09a9f3beb9a9efb7da19f41db6b0d082e7e4dce8ee0f7

Download Submit

Analysis

Sharing