Overview

overview

10

Static

static

Required-document.vbs

windows7_x64

10

Required-document.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Required-document.vbs

  • Size

    59KB

  • Sample

    220227-qlyd9adefp

  • MD5

    a3b2efc3e12c3dd4f6c343d8e768a01c

  • SHA1

    72cdb5d6fd134ec0920cb8b4342adf0e3a961025

  • SHA256

    1836bc14a38837046d3937aef05eee266da919d296cfab066317b0db4ba48d21

  • SHA512

    089140d2a092c8737aea06e959e06d674addba76a2be4114540a9616d450f5890d888624fcf73129e16801c97a5bd1be39544ccacb26e7f471f25b860f4b3e03

Score
10/10
asyncratvjw0rmcollectionpersistenceratspywarestealersuricatatrojanworm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://ec2-3-235-29-66.compute-1.amazonaws.com/wrold/LM.txt

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://ec2-3-235-29-66.compute-1.amazonaws.com/windows/Filnal.txt

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://ec2-3-235-29-66.compute-1.amazonaws.com/test/AAA.txt

Extracted

Family

vjw0rm

C2

http://invoice-update.myiphost.com:1188

Targets

    • Target

      Required-document.vbs

    • Size

      59KB

    • MD5

      a3b2efc3e12c3dd4f6c343d8e768a01c

    • SHA1

      72cdb5d6fd134ec0920cb8b4342adf0e3a961025

    • SHA256

      1836bc14a38837046d3937aef05eee266da919d296cfab066317b0db4ba48d21

    • SHA512

      089140d2a092c8737aea06e959e06d674addba76a2be4114540a9616d450f5890d888624fcf73129e16801c97a5bd1be39544ccacb26e7f471f25b860f4b3e03

    Score
    10/10
    vjw0rmpersistencetrojanwormasyncratcollectionratspywarestealersuricata

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks