Extracted

• • Target

    Quote.js

  • Size

    1.5MB

  • MD5

    7d2d391002b97ff0652b9148902b6abd

  • SHA1

    142abb8196206209738c16b1da79e9773d349ba5

  • SHA256

    1605ba6b37eeca60319c2a18a2004856d01b7563aa660793d229a80acbfa669b

  • SHA512

    f6c1ecba496b65b8ff7f78b22e846db8dc1adceae21fd5f2ac8c0720a81cfee3c18b106d6b7cf844a47443bbf697b3c7966b795996bbc46c84ff1ad3a687ea1a

  • SSDEEP

    6144:KQiFy0BCvRBHByGr0cr4lUGZB4By1jnld66nsleTosWDRC/Gjt5PzoArRT9S5ZTI:Z6VR7loaaf

  Score

  10^/10

  wshratdiscoveryexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2