Extracted

• • Target

    DRAFT-COPY6979977-SHIPPING -DOCUMENT9696969.exe

  • Size

    1.4MB

  • MD5

    211ebc2eede41dbffd0cfa437ec6a32f

  • SHA1

    e0c0d52cb266c517d84b759f2423fb6e1a93f337

  • SHA256

    5b4db1bf348e86d6295c33248ec0a5085de36b830b1528ada92e9abf291f61c5

  • SHA512

    9c1c501fe3b5b149594c7110d8c8b15013c5bb595a1aaf2b341e9a9fee7140848744e45697b59f48d2216eec04f3008c7247457847808c22298fd3a98a698ce3

  • SSDEEP

    24576:JAOcZ5pO7jnAp0u8GFkfhadicVTc4T+ztkdtNBVQ70M/dj2qHLt:jlHAp5FkfhadicVJKztkXNjQ70MQqHR

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • WSHRAT payload

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2