Overview

overview

10

Static

static

RFQ#248.js

windows7_x64

10

RFQ#248.js

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-06-2022 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ#248.js

  • Size

    17KB

  • MD5

    4239843daed582c191b581c62ad736da

  • SHA1

    175e30808638fe5a79a80fb5ac96d8f3dad0888f

  • SHA256

    abea4af360549efab1f16bc0d7a243a4e4597c61ee549e98a147c6f2c9db42d0

  • SHA512

    8491910ff5aacfb454bdc1b95f8f1cd0a9156179ebb5409101b0ce8a4edc32cd8ed908651b6764dfde16753fb6e4a8b55c9f7243122a32e2a1b14bb7eb0932a2

Score
10/10
redlinevjw0rmmoneyguydiscoveryinfostealerpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Family

redline

Botnet

moneyguy

C2

45.137.22.113:59036

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Blocklisted process makes network request 9 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ#248.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MQaBnASytN.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:904
    • C:\Users\Admin\AppData\Local\Temp\pr.exe
      "C:\Users\Admin\AppData\Local\Temp\pr.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pr.exe
    Filesize

    95KB

    MD5

    0ee0b6acb97539cab3193db9e342eb47

    SHA1

    9b68ffabab2cfa01911f7a85d367349ae9954b7e

    SHA256

    165767c87876253a9f95bc650faba1540477f448e2701a2d8710e2d7867bf899

    SHA512

    c0d595db02d2683d116934e05bd6097ac960de528d9abcdee890d07c8950b21748922d820619fbb0ce5c39bed49c550e529fd71d4feebd1018e3754b166c00ff

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pr.exe
    Filesize

    95KB

    MD5

    0ee0b6acb97539cab3193db9e342eb47

    SHA1

    9b68ffabab2cfa01911f7a85d367349ae9954b7e

    SHA256

    165767c87876253a9f95bc650faba1540477f448e2701a2d8710e2d7867bf899

    SHA512

    c0d595db02d2683d116934e05bd6097ac960de528d9abcdee890d07c8950b21748922d820619fbb0ce5c39bed49c550e529fd71d4feebd1018e3754b166c00ff

    Download Submit
  • C:\Users\Admin\AppData\Roaming\MQaBnASytN.js
    Filesize

    7KB

    MD5

    bc1f5653b82ecd30d7a49224dfcbb392

    SHA1

    b42b89a411527521e126e8837cc2f1dad015d78f

    SHA256

    fbfc81f2c862e9953e61426e6c90055dd15563df151839ff7d67e1f00178ff70

    SHA512

    d2d0299811854eeb1db0baf795f4112df9098f244f75335cc0001d229d8abef953bbfb1b0d9b4e2ca7025abdac608d872b37cfbc9d039a653a39a9bd1c2834dd

    Download Submit
  • memory/520-58-0x0000000000000000-mapping.dmp
    Download
  • memory/520-61-0x0000000000C30000-0x0000000000C4E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/520-62-0x0000000076431000-0x0000000076433000-memory.dmp
    Filesize

    8KB

    Download
  • memory/904-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1684-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp
    Filesize

    8KB

    Download