analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Proforma Invoice.js

Full analysis: https://app.any.run/tasks/1dea8e86-f054-466c-9e52-49efefff2adb
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 08, 2019, 17:08:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
stealer
wshrat
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

E11C4858C73A9F7FC1E62D56997C596B

SHA1:

DA96C83B3C5B749D8DFF9C5BAE4B41A62E757738

SHA256:

22D987EB8983590955A24C3458DFD18F192BB1DBD91E82F99A5DA47D7248C866

SSDEEP:

3072:/NMxSBziU1HE3Jua5LKvD4Yp4m+XeutNeNs:lj1HECvsYmmmeE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 1856)
      • wscript.exe (PID: 952)

    • Writes to a start menu file

      • WScript.exe (PID: 1856)
      • wscript.exe (PID: 952)

    • WSHRAT was detected

      • wscript.exe (PID: 952)

    • Connects to CnC server

      • wscript.exe (PID: 952)

    • Application was dropped or rewritten from another process

      • kl-plugin.exe (PID: 2236)

  • SUSPICIOUS

    • Application launched itself

      • WScript.exe (PID: 1856)

    • Creates files in the user directory

      • WScript.exe (PID: 1856)
      • wscript.exe (PID: 952)

    • Executes scripts

      • WScript.exe (PID: 1856)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 952)

    • Checks for external IP

      • wscript.exe (PID: 952)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 4028)

    • Connects to unusual port

      • wscript.exe (PID: 952)

    • Executable content was dropped or overwritten

      • wscript.exe (PID: 952)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start wscript.exe #WSHRAT wscript.exe cmd.exe no specs taskkill.exe no specs kl-plugin.exe

Process information

PID
CMD
Path
Indicators
Parent process
1856"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Proforma Invoice.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
952"C:\Windows\System32\wscript.exe" "C:\Users\admin\AppData\Roaming\Proforma Invoice.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
4028"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exeC:\Windows\system32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1880taskkill /F /IM kl-plugin.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2236"C:\Users\admin\AppData\Roaming\kl-plugin.exe" 79.134.225.103 7775 "WSHRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional |plus|nan-av|false - 8/11/2019|JavaScript-v2.3|IT:Italy" 1C:\Users\admin\AppData\Roaming\kl-plugin.exe
wscript.exe
User:
admin
Company:
WSHRat Plugin
Integrity Level:
MEDIUM
Description:
klplu
Version:
1.1.0.0
Total events
593
Read events
542
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2236kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\5xe2ccne.newcfg
MD5:
SHA256:
2236kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\in_jkzyd.newcfg
MD5:
SHA256:
2236kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\tjkswubp.newcfg
MD5:
SHA256:
2236kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\brkvqeg4.newcfg
MD5:
SHA256:
2236kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\uqq0de2-.newcfg
MD5:
SHA256:
2236kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\usvvh8zp.newcfg
MD5:
SHA256:
2236kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\hkapfudc.newcfg
MD5:
SHA256:
2236kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\smup9a_n.newcfg
MD5:
SHA256:
2236kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\kxjyfy0s.newcfg
MD5:
SHA256:
2236kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\va-lngrh.newcfg
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
15
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
952
wscript.exe
POST
79.134.225.103:7775
http://79.134.225.103:7775/is-ready
CH
malicious
952
wscript.exe
POST
79.134.225.103:7775
http://79.134.225.103:7775/is-ready
CH
malicious
952
wscript.exe
POST
79.134.225.103:7775
http://79.134.225.103:7775/is-ready
CH
malicious
952
wscript.exe
POST
79.134.225.103:7775
http://79.134.225.103:7775/is-ready
CH
malicious
952
wscript.exe
POST
79.134.225.103:7775
http://79.134.225.103:7775/is-ready
CH
malicious
952
wscript.exe
POST
79.134.225.103:7775
http://79.134.225.103:7775/is-ready
CH
malicious
952
wscript.exe
POST
79.134.225.103:7775
http://79.134.225.103:7775/is-ready
CH
malicious
952
wscript.exe
POST
79.134.225.103:7775
http://79.134.225.103:7775/is-ready
CH
malicious
952
wscript.exe
POST
79.134.225.103:7775
http://79.134.225.103:7775/is-ready
CH
malicious
952
wscript.exe
POST
79.134.225.103:7775
http://79.134.225.103:7775/is-ready
CH
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
952
wscript.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
952
wscript.exe
79.134.225.103:7775
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
952
wscript.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
952
wscript.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
952
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952
wscript.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
952
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
Process
Message
kl-plugin.exe
SetWindowsHookEx WH_MOUSE_LL
kl-plugin.exe
SetWindowsHookEx WH_MOUSE_LL
kl-plugin.exe
11/08/2019 17:09:05>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=910, y=376, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:09:05>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=911, y=375, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:09:05>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=912, y=375, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:09:06>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=925, y=371, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:09:06>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=938, y=351, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:09:06>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=966, y=344, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:09:06>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=986, y=351, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:09:06>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=986, y=348, mouseData=0, flags=0, dwExtraInfo=0
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Proforma Invoice.js