Extracted

Extracted

• • Target

    e3516f50c3eec802132c17e8250a82c5_JaffaCakes118

  • Size

    155KB

  • MD5

    e3516f50c3eec802132c17e8250a82c5

  • SHA1

    3a1ec1501f21809f34cdbb6dccb662de26e96791

  • SHA256

    3d039a276556af992957c235fbdb216e79d1cf95787cab0e98f86158d4e34630

  • SHA512

    3c972ec1612ab8ce7fb2b2e76bedd0d3a1e52afab8438b88aef29628b5c94260dc52219dcadc0076c4c9f0103fa4c9d0454dddb58d7f80e400f917d272e2999d

  • SSDEEP

    3072:pjnXcHK4l+/Ms3p/kCP7BQdYj1DFi63iMS7iW6pKA8pCFt/W5EujzIkK8XsO7IeF:tp4liMs3p/kCP7BQd01DFi63iMS7iW6S

  Score

  10^/10

  revengeratwshratexecutionpersistencestealertrojan

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • RevengeRat Executable

    stealer

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence
  behavioral1behavioral2