Extracted

• • Target

    20020002011.js

  • Size

    1.5MB

  • MD5

    3679c49913df66247c6acc19812e27c7

  • SHA1

    30f24eb88297d32991319b9169a43f4426d9d740

  • SHA256

    3fa9cc9e70806e590f32f15133a81a91a233b06015d1fba37d085e17cb662c4c

  • SHA512

    9be17f2cff2ff94ca3ccb7806513ef1ca6fbda9dddaa11daecfd1cbac7fcb424ab483584997463f4142e59c6b143d9fe6391cacf22065ddb83d274f0b570f397

  • SSDEEP

    3072:dkfldm91a4tGa1I5zaXT0GRnaKQ7vYMjVadIgooakWC4G7KZGiuy+KjGpsGu:dkfldm91a4tGa1I5zODnablOhPna

  Score

  10^/10

  wshratpersistencetrojanspywarestealer

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2