vjw0rm

General

Target

payment.js
Size

317KB
Sample

210906-ty8mjaedhm
MD5

11ffb135f770756723dc7de03b21bdee
SHA1

bcaed5653b5beae1abc9709672cbb35e06b65a29
SHA256

2c667eeb4b7c3842d866f6182ef1a347ff53b1f7c414ccdf199fcb66514b2f9f
SHA512

5acb75cc09eeb2f9a04fa9c214387dfb7deecaa560f58c5e47e38377e02584a94316260e343529e2dfa7a3114fe9da492aa2e51f43dc6459deab8ab13f8b0bd7

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n64d

C2

http://www.bughtmisly.com/n64d/

Decoy

hayominta.com

dunstabzug.website

fafmediagroup.com

keepamericagreatagain-again.com

15jizhi.com

hachiden.net

manifestarz.com

bridgeschc.com

floving.com

tintaalairelibre.com

ditsawong.com

dabanse.com

choiceschristianliving.com

pcojapan-online.com

unityinsport.com

hersvin.com

suhaizat.com

vitaliyvs.com

equipmunks.com

yfhzx.com

Targets

- Target
  
  payment.js
- Size
  
  317KB
- MD5
  
  11ffb135f770756723dc7de03b21bdee
- SHA1
  
  bcaed5653b5beae1abc9709672cbb35e06b65a29
- SHA256
  
  2c667eeb4b7c3842d866f6182ef1a347ff53b1f7c414ccdf199fcb66514b2f9f
- SHA512
  
  5acb75cc09eeb2f9a04fa9c214387dfb7deecaa560f58c5e47e38377e02584a94316260e343529e2dfa7a3114fe9da492aa2e51f43dc6459deab8ab13f8b0bd7
Score

10^/10

vjw0rm xloader n64d loader persistence rat suricata trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2