Extracted

• • Target

    Scan0043.js

  • Size

    984KB

  • MD5

    faa1349089a33676434cc9deca10bf7d

  • SHA1

    ebf43f904829f0f81d734db58b1d2f5e393df22c

  • SHA256

    159f8bf05cfb8aa77a15523e0f957dc5d596ec4268564a09e9adcce902b6036d

  • SHA512

    9802e518a0e22d0e54398603d726360f31293586b6820f933a8d93e38ddda4b56ee34ac17ce7e9d5485b556127535d7c84eac5d29dd8c1fb2ce6c709d639c8dc

  • SSDEEP

    6144:2pkargZWNhPwMGdrez1TsuwzpZSSTuiIu8uzfOgw8Y5PW+KZZJ/26KWKMeihf/nm:u

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2