wshrat | 6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf

General

Target

Request For Quotation.js
Size

896KB
MD5

7253f19b242503fad9a8b4e106d27318
SHA1

58accce68dfd8de6e378956387dfbceb8f964287
SHA256

6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf
SHA512

780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9
SSDEEP

6144:QQLz4cW/pKERl7E9USsfl07aGvbEVyzNeez2V6M5uk5jrtnQ1RGlM9VIfSRIwIcw:T7X4oRVW+L40gqNbEMlp4

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 14 IoCs

flow	pid	Process
4	2460	wscript.exe
6	2460	wscript.exe
8	2460	wscript.exe
9	2460	wscript.exe
11	2460	wscript.exe
12	2460	wscript.exe
13	2460	wscript.exe
15	2460	wscript.exe
16	2460	wscript.exe
17	2460	wscript.exe
19	2460	wscript.exe
20	2460	wscript.exe
21	2460	wscript.exe
23	2460	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 13 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	15	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	17	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	20	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	23	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	6	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	11	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	12	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	13	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	16	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	19	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	21	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	9	WSHRAT\|5417AB95\|DSWJWADP\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2460	2516	wscript.exe	29
PID 2516 wrote to memory of 2460	2516	wscript.exe	29
PID 2516 wrote to memory of 2460	2516	wscript.exe	29

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
896KB

MD5
7253f19b242503fad9a8b4e106d27318

SHA1
58accce68dfd8de6e378956387dfbceb8f964287

SHA256
6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf

SHA512
780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
896KB

MD5
7253f19b242503fad9a8b4e106d27318

SHA1
58accce68dfd8de6e378956387dfbceb8f964287

SHA256
6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf

SHA512
780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9

Download Submit
C:\Users\Admin\AppData\Roaming\Request For Quotation.js

Filesize
896KB

MD5
7253f19b242503fad9a8b4e106d27318

SHA1
58accce68dfd8de6e378956387dfbceb8f964287

SHA256
6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf

SHA512
780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9

Download Submit

Analysis

Sharing