Extracted

• • Target

    20191207_PO_HCMCJR_URGENT.js

  • Size

    116KB

  • MD5

    8ab0aa6617da302cfdf3cfd5f69befb2

  • SHA1

    a6598fe37552a5b66d672d12dd3fdbf4d79597dc

  • SHA256

    31c763ec4f5801e2127d655f0e84bba0f020ba2af54ee6f48964b096d53d478c

  • SHA512

    220e52d8f8c8f22fc50614f9cd31c20b19e6201cc065c3653302caadbca64f346caa7dece2d69e46624ac92ea3815882b6f3fa6fe2dea9a3af9f293e9bcd3739

  • SSDEEP

    1536:nwZ/j/5W3lrlGPU1Z9inn6aM9F4LZ7f2vBPgTLJZV+NM1PojBCveiN44QZGxMKQY:nSj/IVEUkxLpfXr1PokG5ZR70CLW

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence
  behavioral1behavioral2