Extracted

• • Target

    Pending_Invoice_Bank_Details_kofce_.JS.js

  • Size

    616KB

  • MD5

    9c3aaa1354531b2f4c194af6be1dfce7

  • SHA1

    cef62c19f65f6985bb473c7b2469c3512f916933

  • SHA256

    3680c60d58b895a8a423ee6ce62f9bfc23effb87522194c1637d67c148b9778d

  • SHA512

    ebc2c1a3d28d7ceab9447baa6c1341183ba17f74de24b3bee6ddaaa84c81d6b4edd97c0f90d3231c643da28520626741b81423593b7d29b08fba4dc2d48f0d97

  • SSDEEP

    12288:+YeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEM+:+YeIrWr/qRigAyX/kngXFbjTLvaH28n1

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2