Extracted

• • Target

    01052024_0305_Promotion_(PO_3078320)_2024_04_29.JS

  • Size

    1.4MB

  • MD5

    bea0edf272ae661cdec8fb350557a776

  • SHA1

    1b204c187effc16ad30c0baa8e1a3bf45fb487a2

  • SHA256

    9e7e1150a44950c4e0227ee843b51750167e60f57a1a1e93eafdddd973d95c90

  • SHA512

    29572355eadad7e46c298971ec517a8a5805575a7654e7070ea929b03297c2700639cacdcc931c9f7af1d7399ee84f6d43ff1b66b6a66c5e43b1e289f4e08cf2

  • SSDEEP

    12288:cixpS0xsV88+YvwCPAtTEmWOFCx4ngiNEXxSHZQPFEfaqNe7znG/PCtZCbhL5GSE:ggFcj6CvG39H5sNWNOlxxTEg

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2