File name:	TNT Collection Request BH7 178845.js
Full analysis:	https://app.any.run/tasks/595e5278-8756-4675-93c1-addf53f73428
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild. Malware Trends Tracker >>>
Analysis date:	September 19, 2019, 04:51:33
OS:	Windows 10 Professional (build: 16299, 64 bit)
Tags:	evasion trojan stealer wshrat
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines
MD5:	B28DED06BD8BF831365F48823C0B06F6
SHA1:	554BFC93BE07783E48A0DAC00EBD2B445E194E2F
SHA256:	382A31D812736E03A8F6310EF0C6CF0864610C4E4AF103F298E1594C357EC09A
SSDEEP:	3072:zvgOngX1oQl+AakDVusQyXg5GWBrseH/8Erbb4wy6Qp:zvgOngKQOkDzg/Brs0Ty

PID	CMD	Path	Indicators	Parent process
2500	"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\TNT Collection Request BH7 178845.js"	C:\Windows\System32\WScript.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384
5780	"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\YLFuizCVuT.js"	C:\Windows\System32\wscript.exe		WScript.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384
5952	"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\TNT Collection Request BH7 178845.js"	C:\Windows\System32\wscript.exe		WScript.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384
5672	"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\YLFuizCVuT.js"	C:\Windows\System32\wscript.exe	—	wscript.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384


(PID) Process:	(2500) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2500) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2500) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2500) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2500) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	TNT Collection Request BH7 178845
Value: wscript.exe //B "C:\Users\admin\AppData\Local\Temp\TNT Collection Request BH7 178845.js"
(PID) Process:	(5780) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	YLFuizCVuT
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\YLFuizCVuT.js"
(PID) Process:	(5952) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5952) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(5952) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(5952) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

PID	Process	Filename		Type
2500	WScript.exe	C:\Users\admin\AppData\Roaming\YLFuizCVuT.js		text
		MD5:2643400553598F91F4B38591042083EC	SHA256:DB9CAE56ED65104978DCBB62BB92A3FFC11FD78F14871A5E53B277258571AC9B
2500	WScript.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TNT Collection Request BH7 178845.js		text
		MD5:B28DED06BD8BF831365F48823C0B06F6	SHA256:382A31D812736E03A8F6310EF0C6CF0864610C4E4AF103F298E1594C357EC09A
5952	wscript.exe	C:\Users\admin\AppData\Roaming\YLFuizCVuT.js		text
		MD5:2643400553598F91F4B38591042083EC	SHA256:DB9CAE56ED65104978DCBB62BB92A3FFC11FD78F14871A5E53B277258571AC9B
2500	WScript.exe	C:\Users\admin\AppData\Local\Temp\TNT Collection Request BH7 178845.js		text
		MD5:B28DED06BD8BF831365F48823C0B06F6	SHA256:382A31D812736E03A8F6310EF0C6CF0864610C4E4AF103F298E1594C357EC09A
5780	wscript.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YLFuizCVuT.js		text
		MD5:2643400553598F91F4B38591042083EC	SHA256:DB9CAE56ED65104978DCBB62BB92A3FFC11FD78F14871A5E53B277258571AC9B
5952	wscript.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLJYL64M\json[1].json		text
		MD5:A4DDD02D2FE4A2E2BE5F61A8842BCB0B	SHA256:B59E0863D7B70AA26810FBCA29E9E1720C35A175A9346B290CA2710C51AE9760
5952	wscript.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TNT Collection Request BH7 178845.js		text
		MD5:B28DED06BD8BF831365F48823C0B06F6	SHA256:382A31D812736E03A8F6310EF0C6CF0864610C4E4AF103F298E1594C357EC09A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5780	wscript.exe	POST	—	45.79.48.200:7757	http://pluginsrv1.duckdns.org:7757/is-ready	US	—	—	malicious
5780	wscript.exe	POST	—	45.79.48.200:7757	http://pluginsrv1.duckdns.org:7757/is-ready	US	—	—	malicious
5952	wscript.exe	POST	—	154.124.195.86:2813	http://2813.noip.me:2813/is-ready	SN	—	—	malicious
5952	wscript.exe	POST	—	154.124.195.86:2813	http://2813.noip.me:2813/is-ready	SN	—	—	malicious
5952	wscript.exe	POST	—	154.124.195.86:2813	http://2813.noip.me:2813/is-ready	SN	—	—	malicious
5780	wscript.exe	POST	—	45.79.48.200:7757	http://pluginsrv1.duckdns.org:7757/is-ready	US	—	—	malicious
5780	wscript.exe	POST	—	45.79.48.200:7757	http://pluginsrv1.duckdns.org:7757/is-ready	US	—	—	malicious
5952	wscript.exe	POST	—	154.124.195.86:2813	http://2813.noip.me:2813/is-ready	SN	—	—	malicious
5780	wscript.exe	POST	—	45.79.48.200:7757	http://pluginsrv1.duckdns.org:7757/is-ready	US	—	—	malicious
5952	wscript.exe	POST	—	154.124.195.86:2813	http://2813.noip.me:2813/is-ready	SN	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
5952	wscript.exe	54.38.92.92:80	ip-api.com	OVH SAS	FR	malicious
5780	wscript.exe	45.79.48.200:7757	pluginsrv1.duckdns.org	Linode, LLC	US	malicious
5952	wscript.exe	154.124.195.86:2813	2813.noip.me	Autonomous System	SN	malicious

Domain	IP	Reputation
pluginsrv1.duckdns.org	45.79.48.200	malicious
ip-api.com	54.38.92.92	shared
2813.noip.me	154.124.195.86	malicious
self.events.data.microsoft.com	52.114.158.91	whitelisted
nexusrules.officeapps.live.com	52.109.124.19	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
5952	wscript.exe	Potential Corporate Privacy Violation	ET POLICY External IP Lookup ip-api.com
5952	wscript.exe	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
5952	wscript.exe	A Network Trojan was detected	ET TROJAN WSHRAT CnC Checkin
5952	wscript.exe	A Network Trojan was detected	ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
5780	wscript.exe	A Network Trojan was detected	ET TROJAN WSHRAT CnC Checkin
5780	wscript.exe	A Network Trojan was detected	ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
5952	wscript.exe	A Network Trojan was detected	ET TROJAN WSHRAT CnC Checkin
5952	wscript.exe	A Network Trojan was detected	ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
5780	wscript.exe	A Network Trojan was detected	ET TROJAN WSHRAT CnC Checkin

General Info

TNT Collection Request BH7 178845.js

B28DED06BD8BF831365F48823C0B06F6

554BFC93BE07783E48A0DAC00EBD2B445E194E2F

382A31D812736E03A8F6310EF0C6CF0864610C4E4AF103F298E1594C357EC09A

3072:zvgOngX1oQl+AakDVusQyXg5GWBrseH/8Erbb4wy6Qp:zvgOngKQOkDzg/Brs0Ty

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Writes to a start menu file

WSHRAT was detected

Connects to CnC server

SUSPICIOUS

Application launched itself

Creates files in the user directory

Executes scripts

Reads the machine GUID from the registry

Connects to unusual port

Checks for external IP

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings