Malware Analysis Report

2024-10-23 22:01

Sample ID 230718-qc7xbsae52
Target Request For Quotation.js
SHA256 5dbf39f65d41bae9a5762be44f9f1815bb76c2caabb63d1b2be274bcba2e63c7
Tags
wshrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5dbf39f65d41bae9a5762be44f9f1815bb76c2caabb63d1b2be274bcba2e63c7

Threat Level: Known bad

The file Request For Quotation.js was found to be: Known bad.

Malicious Activity Summary

wshrat trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-18 13:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-18 13:08

Reported

2023-07-18 13:10

Platform

win7-20230712-en

Max time kernel

150s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C17B774|YKQDESCX|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 2452 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2560 wrote to memory of 2452 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2560 wrote to memory of 2452 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation.js

MD5 fc71c87b2465e63c5205674f9aeb730a
SHA1 2854cf5945ab636c2b78d68d1caffffedf4f0827
SHA256 5dbf39f65d41bae9a5762be44f9f1815bb76c2caabb63d1b2be274bcba2e63c7
SHA512 9edfb762447dc9dc78140a632f5aa884b96112747284fb9f3275e5b960d2585fc7418672cab464ef5cd09a9f3beb9a9efb7da19f41db6b0d082e7e4dce8ee0f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 9db49fb17f2918393110fbfb7b39a750
SHA1 caa2efc133781d259a3d37226d1ec60ae82f7ee6
SHA256 6aead16b501d8cdc98e23bb95d2a0794428c9c94be34e4fe8b2dad8fb070d93c
SHA512 a6332d4bd07046f1f19ffacf0017f88b9f03a1eba1d14b38d8b1d7add665f181e9bacadf3ea7ce602d53512912776d2ddcbc02ae985d3bb64de84047a8cbd63b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 fc71c87b2465e63c5205674f9aeb730a
SHA1 2854cf5945ab636c2b78d68d1caffffedf4f0827
SHA256 5dbf39f65d41bae9a5762be44f9f1815bb76c2caabb63d1b2be274bcba2e63c7
SHA512 9edfb762447dc9dc78140a632f5aa884b96112747284fb9f3275e5b960d2585fc7418672cab464ef5cd09a9f3beb9a9efb7da19f41db6b0d082e7e4dce8ee0f7

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-18 13:08

Reported

2023-07-18 13:10

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

156s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

Signatures

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DAEBE96E|MSXGLQPS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 18/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3756 wrote to memory of 3152 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3756 wrote to memory of 3152 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 90.39.81.45.in-addr.arpa udp
US 8.8.8.8:53 164.113.222.173.in-addr.arpa udp
US 8.8.8.8:53 udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 254.151.241.8.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation.js

MD5 fc71c87b2465e63c5205674f9aeb730a
SHA1 2854cf5945ab636c2b78d68d1caffffedf4f0827
SHA256 5dbf39f65d41bae9a5762be44f9f1815bb76c2caabb63d1b2be274bcba2e63c7
SHA512 9edfb762447dc9dc78140a632f5aa884b96112747284fb9f3275e5b960d2585fc7418672cab464ef5cd09a9f3beb9a9efb7da19f41db6b0d082e7e4dce8ee0f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 767db561824bab7d3411ba766d2cda45
SHA1 32a1f0be70442f216725a8e9cb8c12a66c91cb8b
SHA256 dc5a19140b43e69aa7bee6d7464bed387e154713949e14e99bd2dadb83732419
SHA512 e2547f8c927caa40e119682e0852a4815db90717d235455670e365719d7fea9d209446b89d34f2330127cd1ebc29879010aab2488e12df2763fb5e627c3846bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 fc71c87b2465e63c5205674f9aeb730a
SHA1 2854cf5945ab636c2b78d68d1caffffedf4f0827
SHA256 5dbf39f65d41bae9a5762be44f9f1815bb76c2caabb63d1b2be274bcba2e63c7
SHA512 9edfb762447dc9dc78140a632f5aa884b96112747284fb9f3275e5b960d2585fc7418672cab464ef5cd09a9f3beb9a9efb7da19f41db6b0d082e7e4dce8ee0f7