Malware Analysis Report

2024-10-19 09:24

Sample ID 230810-rsca2ade76
Target Request For Quotation(RFQ).js
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
Tags
wshrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb

Threat Level: Known bad

The file Request For Quotation(RFQ).js was found to be: Known bad.

Malicious Activity Summary

wshrat trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 14:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 14:26

Reported

2023-08-10 14:29

Platform

win7-20230712-en

Max time kernel

146s

Max time network

149s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation(RFQ).js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 2308 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2340 wrote to memory of 2308 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2340 wrote to memory of 2308 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation(RFQ).js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js

MD5 70ebc4c266527efd8a70e6ff259d0ce1
SHA1 44209fe366081d1a1191f7b7dbfd27f34e23d755
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
SHA512 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js

MD5 70ebc4c266527efd8a70e6ff259d0ce1
SHA1 44209fe366081d1a1191f7b7dbfd27f34e23d755
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
SHA512 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js

MD5 70ebc4c266527efd8a70e6ff259d0ce1
SHA1 44209fe366081d1a1191f7b7dbfd27f34e23d755
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
SHA512 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 14:26

Reported

2023-08-10 14:29

Platform

win10v2004-20230703-en

Max time kernel

147s

Max time network

157s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation(RFQ).js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|B000C75D|LMMMEQUO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 10/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 4648 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2800 wrote to memory of 4648 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation(RFQ).js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 harold.2waky.com udp
NL 185.225.73.194:3609 harold.2waky.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 194.73.225.185.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
NL 185.225.73.194:3609 harold.2waky.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
NL 185.225.73.194:3609 harold.2waky.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
NL 185.225.73.194:3609 harold.2waky.com tcp
NL 185.225.73.194:3609 harold.2waky.com tcp

Files

C:\Users\Admin\AppData\Roaming\Request For Quotation(RFQ).js

MD5 70ebc4c266527efd8a70e6ff259d0ce1
SHA1 44209fe366081d1a1191f7b7dbfd27f34e23d755
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
SHA512 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js

MD5 70ebc4c266527efd8a70e6ff259d0ce1
SHA1 44209fe366081d1a1191f7b7dbfd27f34e23d755
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
SHA512 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation(RFQ).js

MD5 70ebc4c266527efd8a70e6ff259d0ce1
SHA1 44209fe366081d1a1191f7b7dbfd27f34e23d755
SHA256 284839414beba349dfacfb02f8da76431513a9f072877d6cd9b783c60d8510fb
SHA512 72c742233a0d59777519c3b03af553bd43097d8d54782a8215343b6b01f48ba001dfe66d1210a1486808568db620a6277b78417621780e5483152b7c4d84ce3d