Extracted

• • Target

    0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c.js

  • Size

    830KB

  • MD5

    3f2a1c1daacef7c9dc6f69c5362c9928

  • SHA1

    3ce5d81226174c6c048313b9702fec63491eb339

  • SHA256

    0cb55adaebcd33b94fb00efcd1b927b2bc49a05e4ec4f9cc02bb70b3c5dfeb7c

  • SHA512

    d325873f1fd3bf4393ce60329451874b2a7543c5c3068fd0427030f761f20f9e8539fed72ff24155cfc6d7d609a997c1ceb91cc643a79732c0a2bf97c731eee9

  • SSDEEP

    24576:hKDnslywYmw3SkKNuhf+0s3S3PnukeZauv/k5IgPZ5i:hKbstYmw3SNwhm0CSfgauvmLi

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2