Extracted

• • Target

    Update on Payment.js

  • Size

    615KB

  • MD5

    8dcc2c7236870e00097d09cadc066b03

  • SHA1

    2c9868c25000e2d7801dc9fd431d6ba99b694e16

  • SHA256

    d968cf117419570bc67f57a2be52a648d2253346fd60489c06435fdbe518c61e

  • SHA512

    918ee5a3a83fcbc098b294077c0fd5888ccc05e0785ef749c788be763ddd2750fe6daa67904b9de2d77cdb9dfab4dc7b65db25e1c18ab5d33f969e81fdae9cf5

  • SSDEEP

    12288:fYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMp:fYeIrWr/qRigAyX/kngXFbjTLvaH28ng

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2