Extracted

• • Target

    06858399.js

  • Size

    1010KB

  • MD5

    05f7dda308f1bc24abadf8aa3371330b

  • SHA1

    aa06855668ac9804721adacbc152ff0c302562cc

  • SHA256

    00460e8f2804e45011d3aaf0981b3124fc61bd67a529c8037ae23760fe4a4a52

  • SHA512

    584b38cd5c00fc67a1bbe11d0d76933ab688dc5cdf307729f6a0a230fa63cdb0402e3ea2bdb9c5adbdd89e8f223e04664754e5878bcf7769482d97938c1a7fe7

  • SSDEEP

    3072:7jqQUG/tGfT5hmFesTlDxVa9H8EHGK125p5DE0VsW3ikFBWdtm++fm6KMZ8:7jqQUG/tGfT5hmFesT1xKNoisI

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2