Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Request For Quotation.js

  • Size

    926KB

  • Sample

    230721-g52rcacc73

  • MD5

    d88e96b01cbe12a5dbaefd28ccfcc7dc

  • SHA1

    d1c01512b187176428440463eaae7b7d5be2aabf

  • SHA256

    8cae71910574fa96fdf20ddab8897e90d155e50036ddb2f3d033a7b13a45b90f

  • SHA512

    1dc22521994a390b97ad7e7880f1812b865a22b5c5681bacc3870f37baae37f2772e071f68a6a7b1669664f2c00d0f7c96d8815601bdcef69c43d008da348388

  • SSDEEP

    6144:QQbl/QgzB5SMaGRnxrga5gxa17U7ck9d8JDr+DNgMPiColqGYXY/i/Dz9rcgVfEn:TNLfp

Score
10/10

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Targets

    • Target

      Request For Quotation.js

    • Size

      926KB

    • MD5

      d88e96b01cbe12a5dbaefd28ccfcc7dc

    • SHA1

      d1c01512b187176428440463eaae7b7d5be2aabf

    • SHA256

      8cae71910574fa96fdf20ddab8897e90d155e50036ddb2f3d033a7b13a45b90f

    • SHA512

      1dc22521994a390b97ad7e7880f1812b865a22b5c5681bacc3870f37baae37f2772e071f68a6a7b1669664f2c00d0f7c96d8815601bdcef69c43d008da348388

    • SSDEEP

      6144:QQbl/QgzB5SMaGRnxrga5gxa17U7ck9d8JDr+DNgMPiColqGYXY/i/Dz9rcgVfEn:TNLfp

    Score
    10/10
    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks