Extracted

• • Target

    f0962774a22adb03e29c34fda016085f1fc99598f23562e5165474469f653bd0.js

  • Size

    953KB

  • MD5

    21c25960399a73a630e1a4b8300d811c

  • SHA1

    86152daa4a7edfd28f8a3f3083c804204fce7033

  • SHA256

    f0962774a22adb03e29c34fda016085f1fc99598f23562e5165474469f653bd0

  • SHA512

    7f9bc1296091e91e1cea8fb5ed4ac3542edaf74b1a9854e0d546a69e92be3d31b578c58cb81c21828cd43d4e7b37936bf6cd98d5ff68ab13e5fe1740a57cabff

  • SSDEEP

    6144:XQ7Ai2LEudj0YJ404Lb2Hqoivl0WX1u4O9uziIBEJtB8ezLcbtSBYu3FC+ammFVV:gag

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2