Extracted

• • Target

    57679766d792132497921ab478f7802f3599a8d19a9c4190045e3a139e9f2c52.js

  • Size

    2.1MB

  • MD5

    40d85b56e7392f84a265c3e43209112c

  • SHA1

    c10e1c1c487f84dbb2cf5089f473529114a89859

  • SHA256

    57679766d792132497921ab478f7802f3599a8d19a9c4190045e3a139e9f2c52

  • SHA512

    203709c65208887bdc78bc02d366ee48a04b90e7e701876416a04b98b12e01e18e5468ddb69ff018ea52816b9e4eae0787bc024cc550d2d35271191829ae7690

  • SSDEEP

    49152:gZknKnkiP2Kkaq4ePu3SomhEvQZuqCniSZae2h6ifBUw5LWrVRRNb/YopQESU3oW:w

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2