Extracted

• • Target

    Dadebehring PendingInvoiceBankDetails.JS.js

  • Size

    615KB

  • MD5

    0b7c8b483dbe9dd80dcfc2efc2fe3595

  • SHA1

    097e1054b08e5b6e454def018a04e865fb02874c

  • SHA256

    019e983d91ef29bce54e750ec620a7e63418f34c9a393f3f44e11cbfa39c2258

  • SHA512

    118be8d4c92581e3f51330eebfd5e7c5549e21b5d466d68799ddd6e7dc47b82e08f1924fabb7f049e0739da6f079983f4a2b87ab2957dc260b4763362406a321

  • SSDEEP

    12288:rYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMt:rYeIrWr/qRigAyX/kngXFbjTLvaH28nQ

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2