Extracted

• • Target

    GOE-6.508.pdf.js

  • Size

    1.5MB

  • MD5

    a35a17d6d986737f8d13c2e7896175b4

  • SHA1

    ec1631b83df832f28b20c86b629e0c2862b3334c

  • SHA256

    4f3ad298763c484458b73b7e53ff043df5b3923187cda71b50424f14949b336c

  • SHA512

    81c8e1d2b857973c752f524fa8461c91fb50ffa33b33d8617fcc326d386c69d2e3b94555651e4f304d98ef2aae2a5a180fcc31b156cbe07e0eb37777c93f2b53

  Score

  10^/10

  wshratlinkpdfpersistencesuricatatrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • WSHRAT Payload

  • suricata: ET MALWARE WSHRAT CnC Checkin

    suricata: ET MALWARE WSHRAT CnC Checkin

    suricata

  • suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

    suricata

  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

    suricata

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2