Extracted

• • Target

    SA___CS_Purchase_Order.xls.js

  • Size

    7KB

  • MD5

    516442412f0c621f39abd64b645f587c

  • SHA1

    20565fcbcf30ced136c6e6a9c6539a139f610233

  • SHA256

    3dbe569606e7cb9d93ad9f5bb8135fb9e6faf2d525c365dbc0eb672a45419ff9

  • SHA512

    3d96d973e3a1a6bca2cdd982e50524c3d1b79df03eedd1165ecae94d408fdd12a1f14a9b4fb7660f71e0be912ba469e1e4f88b42f8f6c66758f8e2d16342b1e6

  • SSDEEP

    48:MOIWNECVZvY3thH1S4T0O2NiIVEggU3mOOFANEeoTmKaU9Osxi4OcKGE+G:zYCVZ+FTbmVEgg+u9Ny8MXV+G

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence
  behavioral1behavioral2