Extracted

• • Target

    tmp

  • Size

    396KB

  • MD5

    81f9f37ac3c2eedeb3469b055c4b8e96

  • SHA1

    20d50098fcbff0e933c3f9fd42f82b22f741843b

  • SHA256

    b17bdafe054295b84b35190c7021be09bb456095ba5702988048299e478a7284

  • SHA512

    947df24f4f6b3aa38c47099f949c6ac383ac45d7dd40ac0b7b268b5191df8805a06b774f16188e3e1cb8e2c442d6cd22f10e3ddd074afb426e927f293bb65a5f

  • SSDEEP

    12288:/YfkqbKDGNB+AzcBrQtV7ExskKQrftxpm4:/YfkqbKDGNB+M0KqsbQrzH

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • WSHRAT payload

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2