wshrat | 1605ba6b37eeca60319c2a18a2004856d01b7563aa660793d229a80acbfa669b

General

Target

Quote.js
Size

1.5MB
MD5

7d2d391002b97ff0652b9148902b6abd
SHA1

142abb8196206209738c16b1da79e9773d349ba5
SHA256

1605ba6b37eeca60319c2a18a2004856d01b7563aa660793d229a80acbfa669b
SHA512

f6c1ecba496b65b8ff7f78b22e846db8dc1adceae21fd5f2ac8c0720a81cfee3c18b106d6b7cf844a47443bbf697b3c7966b795996bbc46c84ff1ad3a687ea1a
SSDEEP

6144:KQiFy0BCvRBHByGr0cr4lUGZB4By1jnld66nsleTosWDRC/Gjt5PzoArRT9S5ZTI:Z6VR7loaaf

Score

10^/10

wshrat discovery execution persistence trojan

Malware Config

Extracted

Family

wshrat

C2

http://37.48.102.22:2020

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 24 IoCs

flow	pid	Process
4	2672	wscript.exe
5	2672	wscript.exe
7	2672	wscript.exe
8	2672	wscript.exe
9	2672	wscript.exe
11	2672	wscript.exe
12	2672	wscript.exe
14	2672	wscript.exe
16	2672	wscript.exe
18	2672	wscript.exe
19	2672	wscript.exe
20	2672	wscript.exe
21	2672	wscript.exe
22	2672	wscript.exe
29	2672	wscript.exe
30	2672	wscript.exe
31	2672	wscript.exe
32	2672	wscript.exe
33	2672	wscript.exe
34	2672	wscript.exe
35	2672	wscript.exe
36	2672	wscript.exe
37	2672	wscript.exe
38	2672	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quote.js	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
2604	keylogger.exe
544	vkl.exe

Loads dropped DLL 1 IoCs

pid	Process
328	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\VKL-GBS0LE = "\"C:\\Users\\Admin\\AppData\\Roaming\\ViottoKeylogger\\vkl.exe\""	keylogger.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VKL-GBS0LE = "\"C:\\Users\\Admin\\AppData\\Roaming\\ViottoKeylogger\\vkl.exe\""	keylogger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\VKL-GBS0LE = "\"C:\\Users\\Admin\\AppData\\Roaming\\ViottoKeylogger\\vkl.exe\""	vkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VKL-GBS0LE = "\"C:\\Users\\Admin\\AppData\\Roaming\\ViottoKeylogger\\vkl.exe\""	vkl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quote = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quote = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quote = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quote = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Quote.js\""	wscript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keylogger.exe

Runs .reg file with regedit 2 IoCs

pid	Process
2784	regedit.exe
2608	regedit.exe

Script User-Agent 18 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	32	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	5	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	20	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	31	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	36	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	9	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	22	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	29	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	34	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	35	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	37	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	21	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	19	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	30	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	33	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	38	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom
HTTP User-Agent header	8	WSHRAT\|B4BE3DCB\|KHBTHJFA\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 17/10/2024\|JavaScript-v3.4\|GB:United Kingdom

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
544	vkl.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2784	2188	wscript.exe	30
PID 2188 wrote to memory of 2784	2188	wscript.exe	30
PID 2188 wrote to memory of 2784	2188	wscript.exe	30
PID 2188 wrote to memory of 2672	2188	wscript.exe	31
PID 2188 wrote to memory of 2672	2188	wscript.exe	31
PID 2188 wrote to memory of 2672	2188	wscript.exe	31
PID 2672 wrote to memory of 2608	2672	wscript.exe	32
PID 2672 wrote to memory of 2608	2672	wscript.exe	32
PID 2672 wrote to memory of 2608	2672	wscript.exe	32
PID 2672 wrote to memory of 2604	2672	wscript.exe	33
PID 2672 wrote to memory of 2604	2672	wscript.exe	33
PID 2672 wrote to memory of 2604	2672	wscript.exe	33
PID 2672 wrote to memory of 2604	2672	wscript.exe	33
PID 2604 wrote to memory of 3020	2604	keylogger.exe	35
PID 2604 wrote to memory of 3020	2604	keylogger.exe	35
PID 2604 wrote to memory of 3020	2604	keylogger.exe	35
PID 2604 wrote to memory of 3020	2604	keylogger.exe	35
PID 3020 wrote to memory of 328	3020	WScript.exe	36
PID 3020 wrote to memory of 328	3020	WScript.exe	36
PID 3020 wrote to memory of 328	3020	WScript.exe	36
PID 3020 wrote to memory of 328	3020	WScript.exe	36
PID 328 wrote to memory of 544	328	cmd.exe	38
PID 328 wrote to memory of 544	328	cmd.exe	38
PID 328 wrote to memory of 544	328	cmd.exe	38
PID 328 wrote to memory of 544	328	cmd.exe	38

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Quote.js
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
  2⤵
  - Runs .reg file with regedit
  PID:2784
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Quote.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2608
- - C:\Users\Admin\AppData\Roaming\keylogger.exe
    "C:\Users\Admin\AppData\Roaming\keylogger.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ViottoKeylogger\vkl.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:328
      - C:\Users\Admin\AppData\Roaming\ViottoKeylogger\vkl.exe
        
        C:\Users\Admin\AppData\Roaming\ViottoKeylogger\vkl.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

Filesize
143B

MD5
0e5411d7ecba9a435afda71c6c39d8fd

SHA1
2d6812052bf7be1b5e213e1d813ae39faa07284c

SHA256
cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

SHA512
903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
430B

MD5
f4111f61c6d6f585ad20f674592ea89f

SHA1
35a84b1a1ab37853ce54560fcc71bca91b0e3ca7

SHA256
7b74cf34df17a030bc08fc12d519bda615d38bfe322865fad474a2c2266c171c

SHA512
15c2629ff9366277e1cfed9532e01c7c254b2dad0683ac3e19be9a448ad9fe8f2b5b5e1813da7f79fa930aaa10862da02f58077488ee92c91576e37c23fe66df

Download Submit
C:\Users\Admin\AppData\Roaming\Quote.js

Filesize
1.5MB

MD5
7d2d391002b97ff0652b9148902b6abd

SHA1
142abb8196206209738c16b1da79e9773d349ba5

SHA256
1605ba6b37eeca60319c2a18a2004856d01b7563aa660793d229a80acbfa669b

SHA512
f6c1ecba496b65b8ff7f78b22e846db8dc1adceae21fd5f2ac8c0720a81cfee3c18b106d6b7cf844a47443bbf697b3c7966b795996bbc46c84ff1ad3a687ea1a

Download Submit
C:\Users\Admin\AppData\Roaming\keylogger.exe

Filesize
82KB

MD5
7d1ec62e7af8e03924a871a1043febbe

SHA1
753b472506fafb875217090d518040bc66a330ab

SHA256
69b5981fbff2fbd191b8c786da080b3783252742fe47d00d6012ce572dc32d7d

SHA512
f4e5945183c4e150525e7b4a3bd1150efb311694e00a31bf2e15491138d27877b2cb0d2bbbe0c90abf2e88f4a4ec54da412794379c3aa130d10b4f71115b3c8f

Download Submit
C:\Users\Admin\AppData\Roaming\log.txt

Filesize
168B

MD5
3ab1871eb464e5e816471befd1b4e1e4

SHA1
911160fab10407ff702ed993c39a1430a2c0ccb2

SHA256
43c9d2fee5406ffaffdcb15bb32178a8ed6bb001c6aceda57a3ca9bb40193092

SHA512
edfd30411c10da064db8ae4cf2fd4e19ed0bce6c88b5b54ca8e2afc44fe379110f3848830538bba27eb7d69cb034ab7ec03bc7914c91b6897ee98e4bd01ae48b

Download Submit
memory/328-33-0x0000000000150000-0x0000000000183000-memory.dmp

Filesize
204KB

Download
memory/544-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-2-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2784-4-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads