Extracted

• • Target

    rORDER-023603_List.xls.vbs

  • Size

    9KB

  • MD5

    b66938f8b8ab81aef4aceeea87bbe7b5

  • SHA1

    2f140f44c2f74ecff2e24dcb0b3fbd72080e090a

  • SHA256

    5a6374adb1371c63cace395445818f4b83dcdd2494da86062b0ab3cbfb201e0b

  • SHA512

    0f449d44022e9abec453180dae1f25e06fb538359c6cc52f3eb6efafb9b339f293f733284c73ac2b793fac97aee92df01eeed524c361ac0f7c35664a97dfd0bc

  • SSDEEP

    48:bnlrCVFFIlV2rVboysaqbwYHppKZ2I0wiin5I2c1YleGE/+:jlrCnFSmzs/3IKin5I2c1Yle9m

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence
  behavioral1behavioral2