Overview

overview

10

Static

static

Purchase Order.js

windows7-x64

10

Purchase Order.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase Order.js

  • Size

    416KB

  • Sample

    220725-v8w7xscggn

  • MD5

    c1e4692ddf7c0d185bd22009e16ecc23

  • SHA1

    2ded130da9911cb4de8c0509274e0f3334e3a452

  • SHA256

    e036752f36ea0c6f711330469d78e04cbf944466dcacc3e2b27544716c34e0a3

  • SHA512

    21536109ada4b5a5481ec84a4cb0984932ec057866637655b9312199ab20d6260b2be06a961a9de672b9511f1fbb4225fec6ea1208534573cda0463b87751862

Score
10/10
netwirevjw0rmbotnetpersistenceratstealertrojanworm

Malware Config

Targets

    • Target

      Purchase Order.js

    • Size

      416KB

    • MD5

      c1e4692ddf7c0d185bd22009e16ecc23

    • SHA1

      2ded130da9911cb4de8c0509274e0f3334e3a452

    • SHA256

      e036752f36ea0c6f711330469d78e04cbf944466dcacc3e2b27544716c34e0a3

    • SHA512

      21536109ada4b5a5481ec84a4cb0984932ec057866637655b9312199ab20d6260b2be06a961a9de672b9511f1fbb4225fec6ea1208534573cda0463b87751862

    Score
    10/10
    netwirevjw0rmbotnetpersistenceratstealertrojanworm

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks