Extracted

Extracted

• • Target

    Scan00516.js

  • Size

    2.8MB

  • MD5

    cceb6f7af35075d52fb1abbbcba9d552

  • SHA1

    db1fb42b122d7dfe6870a9a5158cd16a54f500b9

  • SHA256

    e65ec8d385c6ce480304b3ef59bcae22c5513e74394d0c4ddea7c3ce61bcc5a9

  • SHA512

    694efc7c76eca5a222b811cb4f71cfe914f1206a316db65cbec9e947133f8b047ffb0f86f3f3552e398b4fd6f22ce54f7bb99971d4070ce8eb9a52d1f2cf20a5

  • SSDEEP

    12288:HEjhLV6ErrE79GfPIE9bR/Ncojw3Qxe1C5SsPuUhoGp8b+hRmgQeemB7JpPBgKq0:2

  Score

  10^/10

  formbookwshratme15persistenceratspywarestealertrojan

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Formbook payload

    rat

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • Nirsoft

  • Blocklisted process makes network request

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2