Extracted

• • Target

    TBTX00392.js

  • Size

    1011KB

  • MD5

    bebb7261224b5a20938c5b0ece1e973e

  • SHA1

    7ad65629b20caaaac52b7a161c8be6b5ebb9e278

  • SHA256

    85682ad2261aa1d7d9f56f3e7dfb963cb2e15fdecbd8bcf4c6c2443aa470108c

  • SHA512

    04a30bf78488ecba0bff67c44540649b2021177950fd21c88589b9da76e05b38740d3bb34f47a1120ccf0de7925637549860022121bc2aaaf854858e90556bc3

  • SSDEEP

    1536:qeqxR3RFiK5t/+2Z20xYssK3Qk5Fh5dQt5U6EPkQcTeV8qMXKQcTeDwxAiPvcYnS:Y7A977i8YnIvf

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2