Overview

overview

10

Static

static

1

Request Fo...FQ).js

windows7-x64

10

Request Fo...FQ).js

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2023 14:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Request For Quotation(RFQ).js

  • Size

    946KB

  • MD5

    70ebc4c266527efd8a70e6ff259d0ce1

  • SHA1

    44209fe366081d1a1191f7b7dbfd27f34e23d755

  • SHA256

    284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb

  • SHA512

    72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

  • SSDEEP

    6144:QQ7Eqk/qylpe5u9cyON5Q5iOG7xKMBjEZcqjIfgSPyDlLnMC31I1lvERmcfbqPo5:TGF

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.2waky.com:3609

Signatures

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 16 IoCs
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 15 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation(RFQ).js"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:4944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js
    Filesize

    946KB

    MD5

    7d0e70bd24c9431e9e90eb4a132eec82

    SHA1

    228c57595183e96eb700aeca4e0f3487d9b42554

    SHA256

    70edb99a3f1cae9e76d21ea3cb02131dddf69557258c652ff604ba934ba4a360

    SHA512

    a1b534599b5d92ee2102b0882ae7192c75aea67443d4cd0ef7e095533499d1cd4d84f34c33e7a383c2d55d7e79a2cb9317d5a2e1fc948cbc69b855e026e46f24

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js
    Filesize

    946KB

    MD5

    70ebc4c266527efd8a70e6ff259d0ce1

    SHA1

    44209fe366081d1a1191f7b7dbfd27f34e23d755

    SHA256

    284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb

    SHA512

    72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js
    Filesize

    946KB

    MD5

    70ebc4c266527efd8a70e6ff259d0ce1

    SHA1

    44209fe366081d1a1191f7b7dbfd27f34e23d755

    SHA256

    284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb

    SHA512

    72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

    Download Submit