Extracted

• • Target

    de80ddaf900379871f2bab20d64da027

  • Size

    646KB

  • MD5

    de80ddaf900379871f2bab20d64da027

  • SHA1

    22dbcdac16ba7ced8816a60040eb18a6246ae41a

  • SHA256

    230071b1f1ec23b18fdb3bf074cce6e6c6f1e8868b3b650ae5c528e0c7afe0d7

  • SHA512

    ca997731ef7bb4db84bf1bbde7aff87520e52491ee85721351fd722421f05ac95795515c4d0d3620d77b9b106178a6c930d15d51333a54710ee3aec73a298ce5

  • SSDEEP

    12288:1vRUyXewlgFEanFjj+SpBw6tFZmAT28Al/VFbdOXQW54O:1v/Xb6Djj+SpBwuFT28yLpSQWn

  Score

  10^/10

  wshratpersistencetrojandiscovery

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Modifies file permissions

    discovery

  • Adds Run key to start application

    persistence
  behavioral1behavioral2