Extracted

• • Target

    Invoice-883973938.js

  • Size

    614KB

  • MD5

    df7e2ec3ee72ab7a80d2542807ea0c25

  • SHA1

    21f70badfff73f0b55d417d08438236f3e7cfd52

  • SHA256

    e8b589ab580205d0a3cf61367dc5e818aa2a7a90973b95de55502ff6c5853e27

  • SHA512

    fda45ee869d1f5f41a0f4846072bc79680474df60fdc2976be6b5d0f886852010607755c5ccf9dde4f13ad848a8107ce2a591142f9d1b42c9f9698c9008c99a1

  • SSDEEP

    12288:bYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEM+:bYeIrWr/qRigAyX/kngXFbjTLvaH28nT

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2