Extracted

• • Target

    043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5

  • Size

    616KB

  • MD5

    67ae1f3636df193b2b7897bc536fcf76

  • SHA1

    f3a94059adecc0de3615ebe2fb7df65599b3361b

  • SHA256

    043df4e99aeaa6f5873b0cf3dec2694d5b8d1f4830b37c9e2a5fc16953baccf5

  • SHA512

    2c0e76588a79f88036d51a4e628bf8120ca36a3c788b5066004955e0c2be855aa8b5ee357e9b2332d5957ce3c6da23d63539fa0eb730596e08a3574a180093c1

  • SSDEEP

    12288:MYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMZ:MYeIrWr/qRigAyX/kngXFbjTLvaH28n8

  Score

  10^/10

  executionwshratpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2