Extracted

• • Target

    ORDER_#00250490-6758AT.vbe

  • Size

    8KB

  • MD5

    5018141075d290e1bf838ceddeaa0fab

  • SHA1

    37a5d96ff98bdb465b51b922b9e193916df70e7a

  • SHA256

    d6fc2e70bf11cb4b1b12c63864458a3e9c9bb8ae8f5e37a50da90d4b88f8ece6

  • SHA512

    228902cb60b168aee5522bd9696c38a5b21bc189b4b5f1ec00612cf12fc8ae96cc486e5ad7605623a511bdfd36cc4229fda38613a98f5ff6dd1b1f9dd1de09fb

  • SSDEEP

    192:MbmQwm8r83b4x4a/Qw4uA/8r4aFE+g0aFK2ZSfgbDRbHYQwDQwrQwYjbv9F+QwHJ:ImQwmY8r4x4a/Qw4uA/Y4azg0aE2ZSfl

  Score

  10^/10

  wshratdiscoveryexecutionpersistencetrojan

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Wshrat family

    wshrat

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence
  behavioral1