Malware Analysis Report

2025-06-15 21:05

Sample ID 220816-rlkzladaf4
Target new orders.js
SHA256 41a2892987c1d6a2d2815fe7a06897b873003d65e32ead538e5de8b2b09a904a
Tags
agenttesla vjw0rm collection keylogger persistence spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41a2892987c1d6a2d2815fe7a06897b873003d65e32ead538e5de8b2b09a904a

Threat Level: Known bad

The file new orders.js was found to be: Known bad.

Malicious Activity Summary

agenttesla vjw0rm collection keylogger persistence spyware stealer trojan worm

AgentTesla

Vjw0rm

Blocklisted process makes network request

Drops file in Drivers directory

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of local email clients

Drops startup file

Reads data files stored by FTP clients

Accesses Microsoft Outlook profiles

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-16 14:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-16 14:16

Reported

2022-08-16 14:22

Platform

win7-20220812-en

Max time kernel

293s

Max time network

298s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\new orders.js"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Vjw0rm

trojan worm vjw0rm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SiytxiPIfa.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SiytxiPIfa.js C:\Windows\System32\wscript.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe" C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\new orders.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SiytxiPIfa.js"

C:\Users\Admin\AppData\Local\Temp\G&M.exe

"C:\Users\Admin\AppData\Local\Temp\G&M.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 macjoe597.duia.ro udp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 8.8.8.8:53 mail.losbrothersconstruction.com udp
US 108.163.222.70:587 mail.losbrothersconstruction.com tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp

Files

memory/760-54-0x000007FEFC041000-0x000007FEFC043000-memory.dmp

memory/1888-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\SiytxiPIfa.js

MD5 a2079e0212dfd821a8ee552397bff943
SHA1 3464c8d0d2cfff3275714c0f9f506c81e53c27f2
SHA256 cacdff6af2acf1838783fb80822df7a13ef9a4b0865ec067dbca6d7557498d0e
SHA512 df99ec27d74cfd7cd513a6960b531bfe0bdb8151e5890bb1b35ce8d815c9560646bbc0efaa8f4f27e531ba932b08fc83d4bdaafcda04ff376e6f5aef9adaf845

memory/1620-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\G&M.exe

MD5 6c208094e087f84ad4c1790292260317
SHA1 786c84e457c75151d7fd53ea7ca654af0d879495
SHA256 8c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512 d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4

C:\Users\Admin\AppData\Local\Temp\G&M.exe

MD5 6c208094e087f84ad4c1790292260317
SHA1 786c84e457c75151d7fd53ea7ca654af0d879495
SHA256 8c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512 d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4

memory/1620-61-0x0000000000850000-0x000000000088A000-memory.dmp

memory/1620-62-0x0000000076141000-0x0000000076143000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-16 14:16

Reported

2022-08-16 14:22

Platform

win10v2004-20220812-en

Max time kernel

299s

Max time network

304s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\new orders.js"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SiytxiPIfa.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SiytxiPIfa.js C:\Windows\System32\wscript.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe" C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4256 wrote to memory of 2736 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4256 wrote to memory of 2736 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4256 wrote to memory of 3080 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\G&M.exe
PID 4256 wrote to memory of 3080 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\G&M.exe
PID 4256 wrote to memory of 3080 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\G&M.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\new orders.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SiytxiPIfa.js"

C:\Users\Admin\AppData\Local\Temp\G&M.exe

"C:\Users\Admin\AppData\Local\Temp\G&M.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 macjoe597.duia.ro udp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 mail.losbrothersconstruction.com udp
US 108.163.222.70:587 mail.losbrothersconstruction.com tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 93.184.220.29:80 tcp
NL 104.80.225.205:443 tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
FR 51.11.192.48:443 tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 93.184.220.29:80 tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp

Files

memory/2736-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\SiytxiPIfa.js

MD5 a2079e0212dfd821a8ee552397bff943
SHA1 3464c8d0d2cfff3275714c0f9f506c81e53c27f2
SHA256 cacdff6af2acf1838783fb80822df7a13ef9a4b0865ec067dbca6d7557498d0e
SHA512 df99ec27d74cfd7cd513a6960b531bfe0bdb8151e5890bb1b35ce8d815c9560646bbc0efaa8f4f27e531ba932b08fc83d4bdaafcda04ff376e6f5aef9adaf845

memory/3080-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\G&M.exe

MD5 6c208094e087f84ad4c1790292260317
SHA1 786c84e457c75151d7fd53ea7ca654af0d879495
SHA256 8c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512 d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4

C:\Users\Admin\AppData\Local\Temp\G&M.exe

MD5 6c208094e087f84ad4c1790292260317
SHA1 786c84e457c75151d7fd53ea7ca654af0d879495
SHA256 8c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512 d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4

memory/3080-137-0x0000000000D80000-0x0000000000DBA000-memory.dmp

memory/3080-138-0x0000000005C90000-0x0000000006234000-memory.dmp

memory/3080-139-0x0000000005790000-0x000000000582C000-memory.dmp

memory/3080-140-0x0000000006430000-0x0000000006496000-memory.dmp

memory/3080-141-0x0000000006C30000-0x0000000006C80000-memory.dmp

memory/3080-142-0x0000000006A40000-0x0000000006AD2000-memory.dmp

memory/3080-143-0x0000000006A20000-0x0000000006A2A000-memory.dmp