Extracted

• • Target

    01052024_0640_us.txt.js

  • Size

    634KB

  • MD5

    be1960a5bede346d98723b0fc76d2f02

  • SHA1

    c0e53f5d259ed10a802cc0a6c96728f3df32864a

  • SHA256

    72c9ae0599080805aa46a4cf5adb2685ad6d5e81f6fc8ae53b7a232d406f186b

  • SHA512

    e22c79f8d568e57c3e6c6d1edfadaa2373a7bbecff1875a43b6a509465e79b98fd4551256248266dfb2c6a76eaf38b8cc0df0eabe27cff355d9f4bba8f9be780

  • SSDEEP

    12288:Pimg0Vtx60ZGnZH19ndYeIrWr/qRigAyX/DvZvTbxzhbObcizI/mofdEMdNtQCBx:Pimg0VtxMnZH19dYeIrWr/qRigAyX/DN

  Score

  10^/10

  wshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2