Extracted

• • Target

    Sdk283724711.js

  • Size

    963KB

  • MD5

    a577b3a40efbcfb8b749ac033f1a7a71

  • SHA1

    2dd22a217b5faec549b6a948a6d1f75c5114c485

  • SHA256

    1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb

  • SHA512

    62eb4a174a8da9cbb5958b0b71d76136a6d52de8a8b54fe2437d714337fdce6f803fba6318f3dee80cc0d8d31119adf7af934833dce9b93b992156b70f4fbde5

  • SSDEEP

    6144:MQSBV1i/yLD9YI1kBs8WL5y6P3uXjRAE2CGMNygiAN2nKrptY/Q0H+kIM4TdwQbW:Xz+

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • Nirsoft

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2