vjw0rm

General

Target

KBH-2092649118.js
Size

409KB
Sample

211208-s8r7vsheap
MD5

b981d918dc8628b9c0a657f5e62c595f
SHA1

e4c9f272e99b20201a440cf267d5645180531fd9
SHA256

fd04d5a8a5e86c1666282015aa9496bc94da38c7a057745754afe6e4da2aef33
SHA512

7869703c1a53ece58ecdce67d15b9af9e02a7cbb4cf6563c873c7635344a964144e59820247bb625da6c18ad8563812e186a0e3cb50d515a834fd17fbeec47eb

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pzi0

C2

http://www.buffstaff.com/pzi0/

Decoy

laylmodest.com

woruke.club

metaverseslots.net

syscogent.net

aluxxenterprise.com

lm-solar.com

lightempirestore.com

witcheboutique.com

hometech-bosch.xyz

expert-netcad.com

poteconomist.com

mycousinsfriend.biz

shineveranda.com

collegedictionary.cloud

zqlidexx.com

businessesopportunity.com

2utalahs4.com

participatetn.info

dare2ownit.com

varser.com

Targets

- Target
  
  KBH-2092649118.js
- Size
  
  409KB
- MD5
  
  b981d918dc8628b9c0a657f5e62c595f
- SHA1
  
  e4c9f272e99b20201a440cf267d5645180531fd9
- SHA256
  
  fd04d5a8a5e86c1666282015aa9496bc94da38c7a057745754afe6e4da2aef33
- SHA512
  
  7869703c1a53ece58ecdce67d15b9af9e02a7cbb4cf6563c873c7635344a964144e59820247bb625da6c18ad8563812e186a0e3cb50d515a834fd17fbeec47eb
Score

10^/10

vjw0rm xloader pzi0 loader persistence rat suricata trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2