Extracted

• • Target

    Purchase-Order-23726.vbs

  • Size

    747KB

  • MD5

    c1782dd257f96535b081857cd64e2598

  • SHA1

    dcfc5c3fe03e591bc9a6cfb7b008a312eedf343b

  • SHA256

    47ef53bf5833e55b94c424f1a3560baf56bb672760e89fab43a0eb226720e265

  • SHA512

    b39e5eee7a3e8d33ba01ca022bdd564a4ef0c6f00c40adebebec4ee8a310855859fcc1b6834d4361654630518989196e1f0e38160e7feac462a021f52cfe0840

  • SSDEEP

    1536:/MRtSdp+jIiYowCm2soUPRQnrtIoA7OUzpZeVpnYCsHg6sgxstnZDQUhKKMp:8jNm2LnJIoA7OB/tsRWnZup

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2