Overview

overview

10

Static

static

RFQ#248.js

windows7_x64

10

RFQ#248.js

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-06-2022 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ#248.js

  • Size

    17KB

  • MD5

    4239843daed582c191b581c62ad736da

  • SHA1

    175e30808638fe5a79a80fb5ac96d8f3dad0888f

  • SHA256

    abea4af360549efab1f16bc0d7a243a4e4597c61ee549e98a147c6f2c9db42d0

  • SHA512

    8491910ff5aacfb454bdc1b95f8f1cd0a9156179ebb5409101b0ce8a4edc32cd8ed908651b6764dfde16753fb6e4a8b55c9f7243122a32e2a1b14bb7eb0932a2

Score
10/10
redlinevjw0rmmoneyguydiscoveryinfostealerpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Family

redline

Botnet

moneyguy

C2

45.137.22.113:59036

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Blocklisted process makes network request 10 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ#248.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MQaBnASytN.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:3660
    • C:\Users\Admin\AppData\Local\Temp\pr.exe
      "C:\Users\Admin\AppData\Local\Temp\pr.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4556

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pr.exe
    Filesize

    95KB

    MD5

    0ee0b6acb97539cab3193db9e342eb47

    SHA1

    9b68ffabab2cfa01911f7a85d367349ae9954b7e

    SHA256

    165767c87876253a9f95bc650faba1540477f448e2701a2d8710e2d7867bf899

    SHA512

    c0d595db02d2683d116934e05bd6097ac960de528d9abcdee890d07c8950b21748922d820619fbb0ce5c39bed49c550e529fd71d4feebd1018e3754b166c00ff

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pr.exe
    Filesize

    95KB

    MD5

    0ee0b6acb97539cab3193db9e342eb47

    SHA1

    9b68ffabab2cfa01911f7a85d367349ae9954b7e

    SHA256

    165767c87876253a9f95bc650faba1540477f448e2701a2d8710e2d7867bf899

    SHA512

    c0d595db02d2683d116934e05bd6097ac960de528d9abcdee890d07c8950b21748922d820619fbb0ce5c39bed49c550e529fd71d4feebd1018e3754b166c00ff

    Download Submit
  • C:\Users\Admin\AppData\Roaming\MQaBnASytN.js
    Filesize

    7KB

    MD5

    bc1f5653b82ecd30d7a49224dfcbb392

    SHA1

    b42b89a411527521e126e8837cc2f1dad015d78f

    SHA256

    fbfc81f2c862e9953e61426e6c90055dd15563df151839ff7d67e1f00178ff70

    SHA512

    d2d0299811854eeb1db0baf795f4112df9098f244f75335cc0001d229d8abef953bbfb1b0d9b4e2ca7025abdac608d872b37cfbc9d039a653a39a9bd1c2834dd

    Download Submit
  • memory/3660-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4556-138-0x0000000005400000-0x000000000543C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4556-135-0x0000000000A20000-0x0000000000A3E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4556-136-0x0000000005B30000-0x0000000006148000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4556-137-0x00000000053A0000-0x00000000053B2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4556-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4556-139-0x00000000056B0000-0x00000000057BA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4556-140-0x00000000069A0000-0x0000000006B62000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4556-141-0x00000000070A0000-0x00000000075CC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4556-142-0x0000000006920000-0x0000000006986000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4556-143-0x0000000007B80000-0x0000000008124000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4556-144-0x0000000006EA0000-0x0000000006F32000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4556-145-0x0000000006FC0000-0x0000000007036000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4556-146-0x0000000007060000-0x000000000707E000-memory.dmp
    Filesize

    120KB

    Download