Extracted

• • Target

    PO102983459pdf.js

  • Size

    188KB

  • MD5

    bc83816244612cf692c88784bf39314e

  • SHA1

    f2b0aebbf7668f78344bcf2c5c6c739b0bdb4152

  • SHA256

    f6cf56fadb9bc380881e8d653e2a9cbca6dd145d66b24b5d61fc8769fb45f12e

  • SHA512

    a552a667c39799f391501bf8419a15147ed2d692543903f1c718ac38a51d89012cc2739be2c6539a06bab1813f5ef7b94782bb87fb18fbbf928a0f835b667e98

  • SSDEEP

    3072:KyBsgQF1zZbbURCftbIpklgVDSxGfmuZnh6csQkFAQ0bamxvEzseGK/6H:KyBvQFIRCNAklgF2GuuZn+JMDreGK2

  Score

  10^/10

  wshratcollectionpersistencespywarestealertrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2