Extracted

• • Target

    38bd5894a8e1c294b4ea9f3809a1bb7d987af8db390063603c2fca96df2a77bf.vbs

  • Size

    254KB

  • MD5

    bfb4e820b764be9c6ca3a7be5afdc124

  • SHA1

    21e8d148050fa80830ee64cbf99d67292a21fabc

  • SHA256

    38bd5894a8e1c294b4ea9f3809a1bb7d987af8db390063603c2fca96df2a77bf

  • SHA512

    506a151144d5323156066d1a746bd3d9e14b99a170d1e89d9424a5a98dd05a794ab0aa32766b073f58ad866716ef25972b3a44a9d56fad80003c0abf13ced27f

  • SSDEEP

    6144:ywKmqM4d6gb5mjTS8EoL36Uc2TEspbmWVX7FilDCtzQbxkGsg5:QdeTSWdI8mWVM+OGHs

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2