Extracted

• • Target

    8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7.js

  • Size

    903KB

  • MD5

    e8b8ceb50d77284cb8124fb02e9f1268

  • SHA1

    72ed9a12200a422140a33c504c0db91ea43a3623

  • SHA256

    8273cdbc9b9ebe69d2e208ed576d227903aa07839abe8ac292f732d677ae17e7

  • SHA512

    0fc4f2a9a5e8b42468f20808a228e38d1169c714ce709addfb453ce6fa6f1801f5743d3cec02c9bd63ac550f473bc0de4f675e1f0d470df4846e4d6f4b67d358

  • SSDEEP

    6144:HQSQDBxonj7aB6Y+XMjIM8yDwGEmxu06wwKhgsaaSLZR2NRPIr3++OHoZ5aCtTKq:wSi2

  Score

  10^/10

  wshratexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2