Extracted

• • Target

    000315202300.js

  • Size

    1.1MB

  • MD5

    50b25d9512c8d025c67a78e308bb9209

  • SHA1

    4a2ba2d3affdb9a1e1b1d86e6288634863767f17

  • SHA256

    4f0ee7a605c3146b8b82a12c705c8417a1ea4d7e4bf8b5b2a5107077332e7cab

  • SHA512

    f574c2bd9cf3cc93de0c3ad00d8cd0c3ae67642c2fa64f412691ab17e3ddb1cffa911a4a0795bde3ce45ce98560b9fdfc9f18109dab1a701339ff7630f1aa204

  • SSDEEP

    3072:+iXNHOXPsYfG+ri3fuECn/AHbc5j6+2LXlevxY14FF3iLU5zLR2:+iXNHOXPsYfG+ri3fudQ

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2