Malware Analysis Report

2024-10-23 22:01

Sample ID 230719-p4l89sfb68
Target Request For Quotation.js
SHA256 6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf
Tags
wshrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf

Threat Level: Known bad

The file Request For Quotation.js was found to be: Known bad.

Malicious Activity Summary

wshrat trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-19 12:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-19 12:53

Reported

2023-07-19 12:55

Platform

win7-20230712-en

Max time kernel

143s

Max time network

146s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5417AB95|DSWJWADP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2460 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2516 wrote to memory of 2460 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2516 wrote to memory of 2460 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation.js

MD5 7253f19b242503fad9a8b4e106d27318
SHA1 58accce68dfd8de6e378956387dfbceb8f964287
SHA256 6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf
SHA512 780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 7253f19b242503fad9a8b4e106d27318
SHA1 58accce68dfd8de6e378956387dfbceb8f964287
SHA256 6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf
SHA512 780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 7253f19b242503fad9a8b4e106d27318
SHA1 58accce68dfd8de6e378956387dfbceb8f964287
SHA256 6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf
SHA512 780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-19 12:53

Reported

2023-07-19 12:55

Platform

win10v2004-20230703-en

Max time kernel

144s

Max time network

149s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

Signatures

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|22189A4B|HISXQJCD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 19/7/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 2976 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1836 wrote to memory of 2976 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 90.39.81.45.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 254.151.241.8.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
NL 45.81.39.90:3609 harold.2waky.com tcp
NL 45.81.39.90:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation.js

MD5 7253f19b242503fad9a8b4e106d27318
SHA1 58accce68dfd8de6e378956387dfbceb8f964287
SHA256 6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf
SHA512 780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 7253f19b242503fad9a8b4e106d27318
SHA1 58accce68dfd8de6e378956387dfbceb8f964287
SHA256 6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf
SHA512 780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

MD5 7253f19b242503fad9a8b4e106d27318
SHA1 58accce68dfd8de6e378956387dfbceb8f964287
SHA256 6ec3e682fbbd0c23fb4e3a2c2b28f03431b90a88651d227ae3f33b6fadf507cf
SHA512 780608f8217ead3565b9b395a79e436096b1db123842976a375cc7c5770d6fcc724465a45d55e6dfb75e78e139cd6a5ec0bb639a0e0488d3effbc9c3b6fb17b9