Overview

overview

10

Static

static

1

Quotation.js

windows7-x64

10

Quotation.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quotation.js

  • Size

    1.0MB

  • Sample

    231023-p3gx6agf91

  • MD5

    7b3d2b6ee0d1b7dcd4848affd8eb41df

  • SHA1

    5482b40c977ded69e5efd71240e989f03113c95a

  • SHA256

    7469ed4d59e6580cdeab5182930b2e2d50e662b9d18eefb964118fcf8c7f4f03

  • SHA512

    36d65113f20e3476c65057876aefba62b133fdedac1a54f92ce5ef42ca9198426f9941e7a5bd7fd89590f9c676183f5ea8d95b69d90db3349b1fec848411a47a

  • SSDEEP

    6144:MQcpZc2Deey3T+J5hXbPgkjJeVK1Mkl88Ee9t9k/pol+zRjzPT+AjLvNnfywWleH:X6o

Score
10/10
wshrattrojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.ns01.info:3609

Targets

    • Target

      Quotation.js

    • Size

      1.0MB

    • MD5

      7b3d2b6ee0d1b7dcd4848affd8eb41df

    • SHA1

      5482b40c977ded69e5efd71240e989f03113c95a

    • SHA256

      7469ed4d59e6580cdeab5182930b2e2d50e662b9d18eefb964118fcf8c7f4f03

    • SHA512

      36d65113f20e3476c65057876aefba62b133fdedac1a54f92ce5ef42ca9198426f9941e7a5bd7fd89590f9c676183f5ea8d95b69d90db3349b1fec848411a47a

    • SSDEEP

      6144:MQcpZc2Deey3T+J5hXbPgkjJeVK1Mkl88Ee9t9k/pol+zRjzPT+AjLvNnfywWleH:X6o

    Score
    10/10
    wshrattrojan

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks