Extracted

• • Target

    cc10da7e2a5c074cc559ed0f19a4880ae171a44b0039a5d3caadfd326db714fc.js

  • Size

    616KB

  • MD5

    70a617fd2bdb08c64a65ecfba1612140

  • SHA1

    d41eec4cb2f449b845d3f4fa3baf80086705bba6

  • SHA256

    cc10da7e2a5c074cc559ed0f19a4880ae171a44b0039a5d3caadfd326db714fc

  • SHA512

    52c22c0b1d8b8e1b69224e4164fb75d0b07b7b1f8fb6b9b843218f0c01cae0279fe45cecbb538b021ddb7e57c723917ae2f34186881db210c8b4953b7a2b0961

  • SSDEEP

    12288:NYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMa:NYeIrWr/qRigAyX/kngXFbjTLvaH28nZ

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2