wshrat | 0677778651e6e33725cf6517a2bfa1fba1c7ca0bccde26b9c1408cd95b1741f9

General

Target

Request For Quotation.js
Size

940KB
MD5

78252a15f51c83f53b649437cfb4dd89
SHA1

199691ba02706c385773a874fe6a6f6776d336dc
SHA256

0677778651e6e33725cf6517a2bfa1fba1c7ca0bccde26b9c1408cd95b1741f9
SHA512

87217894c79e6e17ef7c40ae3e8ab404fe5a7fc55028763bce93388cb9cc8c778536061ac97ddbc51bb5424a00f55d7362480706c04bfc7ceaa18fc70957c264
SSDEEP

6144:XQsxuHg3waI+262g6Wl087udlFgnSTlWViJo4Q5SSAjMDbriPufIKeMuRg3B6oWM:gD4

Score

10^/10

wshrat trojan

Malware Config

Extracted

Family

wshrat

C2

http://harold.jetos.com:3609

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 13 IoCs

flow	pid	Process
6	3412	wscript.exe
8	3412	wscript.exe
28	3412	wscript.exe
35	3412	wscript.exe
51	3412	wscript.exe
58	3412	wscript.exe
59	3412	wscript.exe
64	3412	wscript.exe
69	3412	wscript.exe
70	3412	wscript.exe
71	3412	wscript.exe
72	3412	wscript.exe
76	3412	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	51	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	59	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	69	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	71	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	28	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	35	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	58	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	64	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	70	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	72	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	76	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	8	WSHRAT\|1C0E0619\|TSBKFJQM\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 1/2/2024\|JavaScript-v3.4\|GB:United Kingdom

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 3412	1872	wscript.exe	86
PID 1872 wrote to memory of 3412	1872	wscript.exe	86

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Request For Quotation.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
354KB

MD5
3c21048255e24e51963acd408b04c38a

SHA1
ca198e164e7e9ccd81318e15db29056207a4dc09

SHA256
2218d1f0ee7046e8f25190976e8da8d811bc2e39f68416560e2855c8af352ab0

SHA512
504b13fca5802db09014d74271107c68a96db9a3d044a2680fd3a53608f16d701a839e2bc8c21d1970a3dbcb057ee2fe2d2df869f87da0a25770c2cc23a2a390

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Request For Quotation.js

Filesize
362KB

MD5
5aef5ee75c2109ff7e3867ec4c33edde

SHA1
292fe77beb3480693e662f16c7ced38a58cabfc7

SHA256
439f5dc203b637aa17246538c68cb3977ab22bd825a1380e0aeda7fcf5acc225

SHA512
6843f48f71c678cc72091885c5856ef4dd7d081fbbc49e57b0b5ebb6c46bbae5c1cffbd1e19c8777b5a12511eb96d76dce4897570b5493f79786742e65e0fd25

Download Submit
C:\Users\Admin\AppData\Roaming\Request For Quotation.js

Filesize
644KB

MD5
2167165cb5ccb87e4d228e8b43ed06d9

SHA1
da690f10eb4b0c6134e83a6a3b5f3a2c21f348d7

SHA256
5c2ead52080306f25a45f7af4921bee8e3561914f16d23d97ab9ef44db667591

SHA512
81313c943b192123aa770a249e9ec31c6b8df37f3de9dcd93e387f127a5e3393a6b08780ce5ea799cf7bc9a47f43fa22b743927f38d67ddec40ec6adb5ddb289

Download Submit

Analysis

Sharing