Extracted

Extracted

• • Target

    Cash_Transfer_REF#23284449-9374647.js

  • Size

    7KB

  • MD5

    4e0ea5c5808c3d0cf7006eb0ef347c4b

  • SHA1

    80f8f2d5b7caf2f13b1edd764e56f46930754edc

  • SHA256

    d0ec40d1ae32bddb9159e4daa86d2b15535fe6cd456f8251d78fe64667d8abb1

  • SHA512

    40745410c37e8cf392c59ca9c8d04779c96624eefe7b8f90f3876f8c54c60518a622db9553b0420f77b34582a586ec68b664089f909e37043a11c0d9734a44d4

  • SSDEEP

    48:iVnz7HAx3ZSGwW6PnWe28gR7osdSrwyNNgnw5:itfHAx3ZzwWKWTnR7o8SrwqNgnw5

  Score

  10^/10

  wshratxwormpersistenceratspywarestealertrojan

  • Detect Xworm Payload

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2