Extracted

• • Target

    03094991200.js

  • Size

    1.1MB

  • MD5

    c90e24e0496e0bb81d8032c74b7ed539

  • SHA1

    b5e2df79729cb47c2401e932915fd05b8469decd

  • SHA256

    a2dd5d94199f9b725b44f8dafedf9559d158f9fd0b9a445ef8b92383e445a32e

  • SHA512

    c34a8d1a27e6a0c5e215f95cf4261aa173edb304c97d869fa73568b9e3eea0bf3886a867b268389a10fed1b8dea3b0c95898a71b99215a53b8e27669a616384f

  • SSDEEP

    3072:IwALITZWIGnufMHbMJeA8PLBPWmPVJtT00YE:IwALITZWIGnufEWm9vTt

  Score

  10^/10

  wshratpersistencetrojancollectionspywarestealer

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • Nirsoft

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2