Malware Analysis Report

2024-10-19 09:24

Sample ID 230810-rrt5fsde66
Target Request For Quotation(RFQ).js
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
Tags
wshrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb

Threat Level: Known bad

The file Request For Quotation(RFQ).js was found to be: Known bad.

Malicious Activity Summary

wshrat trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 14:26

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 14:26

Reported

2023-08-10 14:28

Platform

win10v2004-20230703-en

Max time kernel

148s

Max time network

154s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation(RFQ).js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4132 wrote to memory of 4944 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4132 wrote to memory of 4944 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation(RFQ).js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 185.225.73.194:3609 harold.2waky.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 194.73.225.185.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
US 8.8.8.8:53 126.152.241.8.in-addr.arpa udp
NL 185.225.73.194:3609 harold.2waky.com tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
NL 185.225.73.194:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js

MD5 70ebc4c266527efd8a70e6ff259d0ce1
SHA1 44209fe366081d1a1191f7b7dbfd27f34e23d755
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
SHA512 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js

MD5 7d0e70bd24c9431e9e90eb4a132eec82
SHA1 228c57595183e96eb700aeca4e0f3487d9b42554
SHA256 70edb99a3f1cae9e76d21ea3cb02131dddf69557258c652ff604ba934ba4a360
SHA512 a1b534599b5d92ee2102b0882ae7192c75aea67443d4cd0ef7e095533499d1cd4d84f34c33e7a383c2d55d7e79a2cb9317d5a2e1fc948cbc69b855e026e46f24

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js

MD5 70ebc4c266527efd8a70e6ff259d0ce1
SHA1 44209fe366081d1a1191f7b7dbfd27f34e23d755
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
SHA512 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 14:26

Reported

2023-08-10 14:28

Platform

win7-20230712-en

Max time kernel

143s

Max time network

148s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation(RFQ).js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|0C1A2205|MGKTNXNO|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2336 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2080 wrote to memory of 2336 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2080 wrote to memory of 2336 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation(RFQ).js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js

MD5 70ebc4c266527efd8a70e6ff259d0ce1
SHA1 44209fe366081d1a1191f7b7dbfd27f34e23d755
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
SHA512 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js

MD5 70ebc4c266527efd8a70e6ff259d0ce1
SHA1 44209fe366081d1a1191f7b7dbfd27f34e23d755
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
SHA512 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js

MD5 70ebc4c266527efd8a70e6ff259d0ce1
SHA1 44209fe366081d1a1191f7b7dbfd27f34e23d755
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
SHA512 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d