wshrat | 6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf

General

Target

Request For Quotation.js
Size

896KB
MD5

7253f19b242503fad9a8b4e106d27318
SHA1

58accce68dfd8de6e378956387dfbceb8f964287
SHA256

6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf
SHA512

780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9
SSDEEP

6144:QQLz4cW/pKERl7E9USsfl07aGvbEVyzNeez2V6M5uk5jrtnQ1RGlM9VIfSRIwIcw:T7X4oRVW+L40gqNbEMlp4

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 14 IoCs

flow	pid	Process
7	2976	wscript.exe
9	2976	wscript.exe
35	2976	wscript.exe
40	2976	wscript.exe
53	2976	wscript.exe
62	2976	wscript.exe
63	2976	wscript.exe
71	2976	wscript.exe
72	2976	wscript.exe
74	2976	wscript.exe
75	2976	wscript.exe
76	2976	wscript.exe
81	2976	wscript.exe
82	2976	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 13 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	82	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	9	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	35	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	53	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	71	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	74	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	76	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	81	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	40	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	62	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	63	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	72	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands
HTTP User-Agent header	75	WSHRAT\|22189A4B\|HISXQJCD\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/7/2023\|JavaScript-v3.4\|NL:Netherlands

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2976	1836	wscript.exe	85
PID 1836 wrote to memory of 2976	1836	wscript.exe	85

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:2976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
896KB

MD5
7253f19b242503fad9a8b4e106d27318

SHA1
58accce68dfd8de6e378956387dfbceb8f964287

SHA256
6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf

SHA512
780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
896KB

MD5
7253f19b242503fad9a8b4e106d27318

SHA1
58accce68dfd8de6e378956387dfbceb8f964287

SHA256
6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf

SHA512
780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9

Download Submit
C:\Users\Admin\AppData\Roaming\Request For Quotation.js

Filesize
896KB

MD5
7253f19b242503fad9a8b4e106d27318

SHA1
58accce68dfd8de6e378956387dfbceb8f964287

SHA256
6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf

SHA512
780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9

Download Submit

Analysis

Sharing