Overview

overview

10

Static

static

PO20221110-PDF.js

windows7-x64

10

PO20221110-PDF.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO20221110-PDF.js

  • Size

    511KB

  • Sample

    221012-qlpgcadfbr

  • MD5

    abb2c006b96920466b3ccf956f734e3b

  • SHA1

    23ba08441fb0f5bad93a2d258fe72bfb429b1250

  • SHA256

    94f02513d9ba859ff486e5e7514c2ca656d2fc5979576da44d68726d9d03de2d

  • SHA512

    4ebbee2d4d067ab93a05ae12afba09e744a003428169916d93cb47774e66c1eb99f1b9e7627580e844a4c99dc5b22dfefa88c8acc22fa6329f92060ce5a6751c

  • SSDEEP

    12288:X4asKyOMBGvENnL8m4wNTUewr4ZOFQLlvaVHDT73tNBcQmXOFjL3veFL:N56MEZ74BwQJjL3vY

Score
10/10
netwirevjw0rmbotnetratstealertrojanworm

Malware Config

Extracted

Family

netwire

C2

jspowerone.cloudns.nz:8078

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    DN

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    TestLink.lnk

  • lock_executable

    false

  • mutex

    wLPvLQMO

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      PO20221110-PDF.js

    • Size

      511KB

    • MD5

      abb2c006b96920466b3ccf956f734e3b

    • SHA1

      23ba08441fb0f5bad93a2d258fe72bfb429b1250

    • SHA256

      94f02513d9ba859ff486e5e7514c2ca656d2fc5979576da44d68726d9d03de2d

    • SHA512

      4ebbee2d4d067ab93a05ae12afba09e744a003428169916d93cb47774e66c1eb99f1b9e7627580e844a4c99dc5b22dfefa88c8acc22fa6329f92060ce5a6751c

    • SSDEEP

      12288:X4asKyOMBGvENnL8m4wNTUewr4ZOFQLlvaVHDT73tNBcQmXOFjL3veFL:N56MEZ74BwQJjL3vY

    Score
    10/10
    netwirevjw0rmbotnetratstealertrojanworm

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks