Extracted

• • Target

    60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928.js

  • Size

    1.1MB

  • MD5

    45ece63fd62550c00c23129d45acc6ae

  • SHA1

    428b9734401dbb1c71cbe84894be3ac54f7f8f0f

  • SHA256

    60413aef500d578efcf2ce776c02d9d6b29ec0d1070ea7d758b6c5a3544e7928

  • SHA512

    35a97ce1eb9765d3f306b3478e6607889aa5130239cd85a351c81c94caf964a765db5f455c7777641996fb7f422980689be63ef3593a68c79ee275d2a7dc3935

  • SSDEEP

    24576:xnM9UoHmc6UHyDnk8VYJH2GLvXHLmhWeWJxuLiYZZNJIMmXL/MbiHmKA63OuQFfP:xnmTGCS48ZorOWe6jeZNJIpXjMbiHmKk

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2