Extracted

• • Target

    2027db19e08f49cb365ca8523145ff5ce77bf4b4430075c3bf274f4a4f3f789b.js

  • Size

    614KB

  • MD5

    2299cd103202899b48a32a317f58192d

  • SHA1

    f813552dffb221b7cfaf356d571bf6468b9e58aa

  • SHA256

    2027db19e08f49cb365ca8523145ff5ce77bf4b4430075c3bf274f4a4f3f789b

  • SHA512

    2385b8acefda53c6620bb220e7dc5a8fde64c7d6ccb110a6a0d32152d0d87444fcfbc88bb9dbef322f0ced7bc27b92d43fc1bc1bb5d409f289ae86b816123d14

  • SSDEEP

    12288:kYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMU:kYeIrWr/qRigAyX/kngXFbjTLvaH28nJ

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2