vjw0rm

General

Target

payment.zip
Size

181KB
Sample

210907-2n4jtsgehp
MD5

50dbefd8a45b344dc927e40c3e0cc3ba
SHA1

7a7be7f4acb4776e8701b1041f08a9a99ee9bc99
SHA256

d8742da7f0ad03dcb96a236952ec9d813789cfca74258cb12a4d4ddfed99447b
SHA512

fcb0e2bf27ac9fed50d26b06e25a168c6d9d16f2576b96653d70617769b05dd97a2d8546d2b88308bb7d8e115145d550ba23373961483367aafa456644985010

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n64d

C2

http://www.bughtmisly.com/n64d/

Decoy

hayominta.com

dunstabzug.website

fafmediagroup.com

keepamericagreatagain-again.com

15jizhi.com

hachiden.net

manifestarz.com

bridgeschc.com

floving.com

tintaalairelibre.com

ditsawong.com

dabanse.com

choiceschristianliving.com

pcojapan-online.com

unityinsport.com

hersvin.com

suhaizat.com

vitaliyvs.com

equipmunks.com

yfhzx.com

Targets

- Target
  
  payment.js
- Size
  
  317KB
- MD5
  
  11ffb135f770756723dc7de03b21bdee
- SHA1
  
  bcaed5653b5beae1abc9709672cbb35e06b65a29
- SHA256
  
  2c667eeb4b7c3842d866f6182ef1a347ff53b1f7c414ccdf199fcb66514b2f9f
- SHA512
  
  5acb75cc09eeb2f9a04fa9c214387dfb7deecaa560f58c5e47e38377e02584a94316260e343529e2dfa7a3114fe9da492aa2e51f43dc6459deab8ab13f8b0bd7
Score

10^/10

vjw0rm xloader n64d loader persistence rat suricata trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2