Malware Analysis Report

2025-06-15 21:06

Sample ID 220817-g92xxaege7
Target PROFORMA.js
SHA256 bb233cd3bfd0141e493746f8b0ea0095bc95a98221c5e7ac473c51c16f4ef3f8
Tags
agenttesla vjw0rm collection keylogger spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb233cd3bfd0141e493746f8b0ea0095bc95a98221c5e7ac473c51c16f4ef3f8

Threat Level: Known bad

The file PROFORMA.js was found to be: Known bad.

Malicious Activity Summary

agenttesla vjw0rm collection keylogger spyware stealer trojan worm

Vjw0rm

AgentTesla

Blocklisted process makes network request

Drops file in Drivers directory

Executes dropped EXE

Reads data files stored by FTP clients

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops startup file

Accesses Microsoft Outlook profiles

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-17 06:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-17 06:31

Reported

2022-08-17 06:33

Platform

win7-20220812-en

Max time kernel

149s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PROFORMA.js

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Vjw0rm

trojan worm vjw0rm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DDqTCNaOGd.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DDqTCNaOGd.js C:\Windows\System32\wscript.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Ameder.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Ameder.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Ameder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PROFORMA.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DDqTCNaOGd.js"

C:\Users\Admin\AppData\Roaming\Ameder.exe

"C:\Users\Admin\AppData\Roaming\Ameder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 macjoe597.duia.ro udp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 8.8.8.8:53 server240.web-hosting.com udp
US 199.188.200.15:587 server240.web-hosting.com tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp

Files

memory/2016-54-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

memory/1756-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\DDqTCNaOGd.js

MD5 cd234e5e1b9b723c5c697a5c1c1bbe4f
SHA1 f12f5590137c6f3f8145c2b5cf279c15070cc016
SHA256 8290dd28ba5d7f3122fcb327a70cc19fcba95f97403c35a21f617ef1d0abf1c9
SHA512 520c2cc546ef0a220dc1d12b563b1fd34f3232047a3bc0ef331b47f17fb2bc49c09a7a04a776f18b05e01db8baacf4e2261e50ce50fd8ea64b6bc21206f26096

memory/1528-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Ameder.exe

MD5 bb3183ab7345bd26974ecc8eb29fa06c
SHA1 e1b6195b9546aeae5a5a636ced1f66f04290eeab
SHA256 9fe8aa2f5b68c291b3485cd12c26c565e9d6abde3139eb4de2ba0291d7ced60e
SHA512 244564bb058bd58949849e550d60c28c83157b6b8bfac991b27bddd2c4d46407e2b27bc22b90a72390d0fb10067a4c2c73347215c157aee1f2b36e7aa4ee303f

C:\Users\Admin\AppData\Roaming\Ameder.exe

MD5 bb3183ab7345bd26974ecc8eb29fa06c
SHA1 e1b6195b9546aeae5a5a636ced1f66f04290eeab
SHA256 9fe8aa2f5b68c291b3485cd12c26c565e9d6abde3139eb4de2ba0291d7ced60e
SHA512 244564bb058bd58949849e550d60c28c83157b6b8bfac991b27bddd2c4d46407e2b27bc22b90a72390d0fb10067a4c2c73347215c157aee1f2b36e7aa4ee303f

memory/1528-61-0x00000000000F0000-0x000000000012A000-memory.dmp

memory/1528-62-0x00000000761F1000-0x00000000761F3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-17 06:31

Reported

2022-08-17 06:33

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PROFORMA.js

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Vjw0rm

trojan worm vjw0rm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DDqTCNaOGd.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DDqTCNaOGd.js C:\Windows\System32\wscript.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Ameder.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Ameder.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Ameder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 3768 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4704 wrote to memory of 3768 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4704 wrote to memory of 3508 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\Ameder.exe
PID 4704 wrote to memory of 3508 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\Ameder.exe
PID 4704 wrote to memory of 3508 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\Ameder.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Ameder.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PROFORMA.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DDqTCNaOGd.js"

C:\Users\Admin\AppData\Roaming\Ameder.exe

"C:\Users\Admin\AppData\Roaming\Ameder.exe"

Network

Country Destination Domain Proto
NL 95.101.78.82:80 tcp
US 8.8.8.8:53 macjoe597.duia.ro udp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 8.8.8.8:53 server240.web-hosting.com udp
US 199.188.200.15:587 server240.web-hosting.com tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 104.80.225.205:443 tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 52.182.143.208:443 tcp
NL 8.248.5.254:80 tcp
NL 8.248.5.254:80 tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp

Files

memory/3768-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\DDqTCNaOGd.js

MD5 cd234e5e1b9b723c5c697a5c1c1bbe4f
SHA1 f12f5590137c6f3f8145c2b5cf279c15070cc016
SHA256 8290dd28ba5d7f3122fcb327a70cc19fcba95f97403c35a21f617ef1d0abf1c9
SHA512 520c2cc546ef0a220dc1d12b563b1fd34f3232047a3bc0ef331b47f17fb2bc49c09a7a04a776f18b05e01db8baacf4e2261e50ce50fd8ea64b6bc21206f26096

memory/3508-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Ameder.exe

MD5 bb3183ab7345bd26974ecc8eb29fa06c
SHA1 e1b6195b9546aeae5a5a636ced1f66f04290eeab
SHA256 9fe8aa2f5b68c291b3485cd12c26c565e9d6abde3139eb4de2ba0291d7ced60e
SHA512 244564bb058bd58949849e550d60c28c83157b6b8bfac991b27bddd2c4d46407e2b27bc22b90a72390d0fb10067a4c2c73347215c157aee1f2b36e7aa4ee303f

C:\Users\Admin\AppData\Roaming\Ameder.exe

MD5 bb3183ab7345bd26974ecc8eb29fa06c
SHA1 e1b6195b9546aeae5a5a636ced1f66f04290eeab
SHA256 9fe8aa2f5b68c291b3485cd12c26c565e9d6abde3139eb4de2ba0291d7ced60e
SHA512 244564bb058bd58949849e550d60c28c83157b6b8bfac991b27bddd2c4d46407e2b27bc22b90a72390d0fb10067a4c2c73347215c157aee1f2b36e7aa4ee303f

memory/3508-137-0x00000000000B0000-0x00000000000EA000-memory.dmp

memory/3508-138-0x0000000004F50000-0x00000000054F4000-memory.dmp

memory/3508-139-0x0000000004AD0000-0x0000000004B6C000-memory.dmp

memory/3508-140-0x00000000057B0000-0x0000000005816000-memory.dmp

memory/3508-141-0x0000000005EE0000-0x0000000005F30000-memory.dmp

memory/3508-142-0x00000000061D0000-0x0000000006262000-memory.dmp

memory/3508-143-0x0000000006130000-0x000000000613A000-memory.dmp