Extracted

• • Target

    PAYMENT FOR INV.js

  • Size

    254KB

  • MD5

    acca18f941aa76254ad8b70486012863

  • SHA1

    02313c293c860237159cf81761cc65585273daea

  • SHA256

    7019e1c5a3d9516d62c6557d68b60f7751d68ce0e369d868387e90a0749ccb68

  • SHA512

    8d88f4fdf8a66d867faf5683ea983ef68b0f565c9e62ebe1429e4619ef127257d0643f462215232a0619b5ec9c0fcbc96cc950a6cc5c1e10084aab1f18e10e84

  • SSDEEP

    3072:GdXY/+yAsOAY2Mcj+wlq22tOBqEFRDectBp3/hgbTjBIxPBrz480jad/8nUuiVvF:aDA5Mcj+wj2ctBNJUI/rcLjMuOIK8wpl

  Score

  10^/10

  vjw0rmwshratpersistencetrojanwormcollectionspywarestealer

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2