Extracted

• • Target

    aed8a6b3191c2097fcbadb520f5d0f7e30b578c23f9abc0ab52b63bbb7abc141.js

  • Size

    984KB

  • MD5

    d184c9512e27f412a98e4ad8b2225136

  • SHA1

    06699f9d15e3add90f8b50ac3db0e45b9bbcd671

  • SHA256

    aed8a6b3191c2097fcbadb520f5d0f7e30b578c23f9abc0ab52b63bbb7abc141

  • SHA512

    f17ec0e449fc5d94e5aa635d8e30e06d78d5915f2cbb819ff77e46dcb6bd836a13a286f035e44ae885a764838f0136fec2ad4cfcd1ee1c89dd14f3d082265837

  • SSDEEP

    6144:HQ5h2HwarBPcXUTjpdpiTv0H0nBX7uBKZMiVTuw4JuFuOP88S7d45/qEhTXHINRV:wHFO3cMSK

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2