Malware Analysis Report

2025-06-15 21:05

Sample ID 220817-g9glzabgbn
Target Orders New.js
SHA256 f4eb514871e587813c80882100952d05a17ea61bbb6a83ee197262e2ebd4e203
Tags
agenttesla vjw0rm collection keylogger persistence spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4eb514871e587813c80882100952d05a17ea61bbb6a83ee197262e2ebd4e203

Threat Level: Known bad

The file Orders New.js was found to be: Known bad.

Malicious Activity Summary

agenttesla vjw0rm collection keylogger persistence spyware stealer trojan worm

Vjw0rm

AgentTesla

Executes dropped EXE

Blocklisted process makes network request

Drops file in Drivers directory

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Accesses Microsoft Outlook profiles

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-17 06:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-17 06:30

Reported

2022-08-17 06:32

Platform

win7-20220812-en

Max time kernel

150s

Max time network

154s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Orders New.js"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Vjw0rm

trojan worm vjw0rm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtouVgELLW.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtouVgELLW.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js C:\Windows\System32\wscript.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe" C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Orders New.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TtouVgELLW.js"

C:\Users\Admin\AppData\Local\Temp\G&M.exe

"C:\Users\Admin\AppData\Local\Temp\G&M.exe"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 macjoe597.duia.ro udp
US 8.8.8.8:53 macjoe597.duia.ro udp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 8.8.8.8:53 mail.losbrothersconstruction.com udp
US 108.163.222.70:587 mail.losbrothersconstruction.com tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp

Files

memory/1684-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\TtouVgELLW.js

MD5 fb29f8fba2be3cb1d69f788a7c77905c
SHA1 39028f5bff879e08f049bb352016a935bcd73c6d
SHA256 5345841b45e28bdbcfcdf0382d414f6c3c58900aad828390b950e6eea3df1ffb
SHA512 214187dd8d8e08a70933a390b52d988e523582838aa9343bce8d6c5c295258ccca601a8bc29e52889d343ab1eb62aa8ae7fc7caee190070e02990beb00ea7be9

memory/1328-57-0x0000000000000000-mapping.dmp

memory/1288-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\G&M.exe

MD5 6c208094e087f84ad4c1790292260317
SHA1 786c84e457c75151d7fd53ea7ca654af0d879495
SHA256 8c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512 d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4

C:\Users\Admin\AppData\Local\Temp\G&M.exe

MD5 6c208094e087f84ad4c1790292260317
SHA1 786c84e457c75151d7fd53ea7ca654af0d879495
SHA256 8c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512 d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4

C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js

MD5 a542a21ecaba36f6ba8c6457b8ab67f9
SHA1 3f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256 bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA512 78ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a

memory/1328-61-0x000007FEFC491000-0x000007FEFC493000-memory.dmp

memory/1288-62-0x0000000000BE0000-0x0000000000C1A000-memory.dmp

memory/1288-63-0x0000000075D91000-0x0000000075D93000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-17 06:30

Reported

2022-08-17 06:32

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Orders New.js"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Vjw0rm

trojan worm vjw0rm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtouVgELLW.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtouVgELLW.js C:\Windows\System32\wscript.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe" C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\G&M.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Orders New.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TtouVgELLW.js"

C:\Users\Admin\AppData\Local\Temp\G&M.exe

"C:\Users\Admin\AppData\Local\Temp\G&M.exe"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 macjoe597.duia.ro udp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
NL 104.80.225.205:443 tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 52.182.143.211:443 tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
US 8.8.8.8:53 mail.losbrothersconstruction.com udp
US 108.163.222.70:587 mail.losbrothersconstruction.com tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp
CH 91.192.100.8:8159 macjoe597.duia.ro tcp

Files

memory/3876-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\TtouVgELLW.js

MD5 fb29f8fba2be3cb1d69f788a7c77905c
SHA1 39028f5bff879e08f049bb352016a935bcd73c6d
SHA256 5345841b45e28bdbcfcdf0382d414f6c3c58900aad828390b950e6eea3df1ffb
SHA512 214187dd8d8e08a70933a390b52d988e523582838aa9343bce8d6c5c295258ccca601a8bc29e52889d343ab1eb62aa8ae7fc7caee190070e02990beb00ea7be9

memory/4380-134-0x0000000000000000-mapping.dmp

memory/1672-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js

MD5 a542a21ecaba36f6ba8c6457b8ab67f9
SHA1 3f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256 bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA512 78ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a

C:\Users\Admin\AppData\Local\Temp\G&M.exe

MD5 6c208094e087f84ad4c1790292260317
SHA1 786c84e457c75151d7fd53ea7ca654af0d879495
SHA256 8c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512 d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4

C:\Users\Admin\AppData\Local\Temp\G&M.exe

MD5 6c208094e087f84ad4c1790292260317
SHA1 786c84e457c75151d7fd53ea7ca654af0d879495
SHA256 8c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512 d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4

memory/1672-139-0x0000000000360000-0x000000000039A000-memory.dmp

memory/1672-140-0x0000000005260000-0x0000000005804000-memory.dmp

memory/1672-141-0x0000000004D60000-0x0000000004DFC000-memory.dmp

memory/1672-142-0x0000000005A50000-0x0000000005AB6000-memory.dmp

memory/1672-143-0x0000000006190000-0x00000000061E0000-memory.dmp

memory/1672-144-0x0000000006570000-0x0000000006602000-memory.dmp

memory/1672-145-0x0000000006530000-0x000000000653A000-memory.dmp