vjw0rm

General

Target

PO_CG20210302346.js
Size

742KB
Sample

211202-ty883aadgq
MD5

4d7d2a0d4fe470f6cf2a0a9fc519a5ff
SHA1

c8364f810e6c2bef6801c4b7196882dca05decb0
SHA256

7d024e7fbc39d9379d96332276f41b08670843de3803ea91b257efeadbf8f46c
SHA512

fb3c7bb3fdec6257a8c027e54662f4ac9eb9952647201f10a5942011810d9690bf6b970718bc38038093df9f1d8ab349b3b27cf6432ce69df1e383a7074977f5

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pzi0

C2

http://www.buffstaff.com/pzi0/

Decoy

laylmodest.com

woruke.club

metaverseslots.net

syscogent.net

aluxxenterprise.com

lm-solar.com

lightempirestore.com

witcheboutique.com

hometech-bosch.xyz

expert-netcad.com

poteconomist.com

mycousinsfriend.biz

shineveranda.com

collegedictionary.cloud

zqlidexx.com

businessesopportunity.com

2utalahs4.com

participatetn.info

dare2ownit.com

varser.com

Targets

- Target
  
  PO_CG20210302346.js
- Size
  
  742KB
- MD5
  
  4d7d2a0d4fe470f6cf2a0a9fc519a5ff
- SHA1
  
  c8364f810e6c2bef6801c4b7196882dca05decb0
- SHA256
  
  7d024e7fbc39d9379d96332276f41b08670843de3803ea91b257efeadbf8f46c
- SHA512
  
  fb3c7bb3fdec6257a8c027e54662f4ac9eb9952647201f10a5942011810d9690bf6b970718bc38038093df9f1d8ab349b3b27cf6432ce69df1e383a7074977f5
Score

10^/10

vjw0rm persistence trojan worm xloader pzi0 loader rat suricata
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2