Overview

overview

10

Static

static

vieKruIqohwama.js

windows7-x64

10

vieKruIqohwama.js

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vieKruIqohwama.js

  • Size

    67KB

  • MD5

    76bbaec4c23114922ab7984042725d2a

  • SHA1

    97612b8e6e45c17b78aca2ee645bd6ec0e37853b

  • SHA256

    60c0ecb470e4c5b8f985db4eef3775842081eec19ff3468f3c751b61bc44cecb

  • SHA512

    9c7d3e713e03915c31be5bbc7dafc43238ab206e8b597216ae62eec62c47021c09b032b52dc903d76581018e95c39a89c72dae0245fbe4c590a4b8c231f56ea0

  • SSDEEP

    768:kOWy5gufY8gJ/9Gk9RMcvqSpfDbuVp24R6Pr3zZOAsC0TZFMn1HQt2OE:nSR2SdDw2g6PrDAAeU

Score
10/10
agentteslavjw0rmcollectionkeyloggerpersistencespywarestealertrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://45.139.105.174:7575

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 7 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 4 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\vieKruIqohwama.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZaeRrrJpKE.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:4196
    • C:\Users\Admin\AppData\Local\Temp\8F4METXWO2.exe
      "C:\Users\Admin\AppData\Local\Temp\8F4METXWO2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Users\Admin\AppData\Local\Temp\wlmrod.exe
        "C:\Users\Admin\AppData\Local\Temp\wlmrod.exe" C:\Users\Admin\AppData\Local\Temp\jydvsf.gy
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Users\Admin\AppData\Local\Temp\wlmrod.exe
          "C:\Users\Admin\AppData\Local\Temp\wlmrod.exe" C:\Users\Admin\AppData\Local\Temp\jydvsf.gy
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8F4METXWO2.exe
    Filesize

    689KB

    MD5

    973c60d1591dfe39bffdf01f62972f60

    SHA1

    ff052c9f5a0f11bccabcafdf9cce0cfb00da64df

    SHA256

    7990d4f0d7fddec10a44524bf415615ce0f8af6036fa93ba99e80aa9a3e96cae

    SHA512

    4170ba55de00c505dd58415c57d37e422f5dc804bcaa61b6793035c54df8f759d15e9bcd1c84132d5ac3956d624e42058ba35550d1588cfebe9227c04a42f9f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8F4METXWO2.exe
    Filesize

    689KB

    MD5

    973c60d1591dfe39bffdf01f62972f60

    SHA1

    ff052c9f5a0f11bccabcafdf9cce0cfb00da64df

    SHA256

    7990d4f0d7fddec10a44524bf415615ce0f8af6036fa93ba99e80aa9a3e96cae

    SHA512

    4170ba55de00c505dd58415c57d37e422f5dc804bcaa61b6793035c54df8f759d15e9bcd1c84132d5ac3956d624e42058ba35550d1588cfebe9227c04a42f9f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jydvsf.gy
    Filesize

    8KB

    MD5

    d98923494ed8bf9ebdb33fb21d4f4c63

    SHA1

    a5f832b8e3969b6172172374c896dc8355409cc5

    SHA256

    1dbf1d8f741775fd8853fbff8ab392705ca8e46518fae7f9ddc0e88ac5b10176

    SHA512

    14532a8d8f3d73d59aaf293c4fdc8565cb22c9b95301d41826082ee2984a36a805e8507a35f9884d8536a1de759978cf37dc2436aa7f0aaf665a1d06751940aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\spdpbnx.vt
    Filesize

    296KB

    MD5

    11575463dcffb879136d9d3e8090b63c

    SHA1

    93afbd6adb016db8515384e68b1cedaad6c2be71

    SHA256

    a1df43ec1eaf99b6e496cb3d09bedbeaa63c47a54d8732e4ff99f45e224426d5

    SHA512

    b57cb05bbf0bff6a73a3bcf4781bf0df817a0f125a710c91e924cd38df1219a086f67a2fb8924e6de18ae1085f5d95ed99f1bd28eb05847053ba99fe9fad4fa8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wlmrod.exe
    Filesize

    30KB

    MD5

    94b1a1e9b0045f151cedf6958510d6c7

    SHA1

    76df1bdcfd48f68f220aabeb271a5eab7a2c26fc

    SHA256

    bbb42ed16a8afbb2b674bc15904316beb197824337380f5bb62df80bfd260ba3

    SHA512

    2f79760bb17bfa45f4b56d9c3cff838d37724bf4361dda145a91cd7901c5f06fe3d49a703e5d0a0a808ae9b731fcc1d348428510a48ea8648b865d31b6e4fde7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wlmrod.exe
    Filesize

    30KB

    MD5

    94b1a1e9b0045f151cedf6958510d6c7

    SHA1

    76df1bdcfd48f68f220aabeb271a5eab7a2c26fc

    SHA256

    bbb42ed16a8afbb2b674bc15904316beb197824337380f5bb62df80bfd260ba3

    SHA512

    2f79760bb17bfa45f4b56d9c3cff838d37724bf4361dda145a91cd7901c5f06fe3d49a703e5d0a0a808ae9b731fcc1d348428510a48ea8648b865d31b6e4fde7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wlmrod.exe
    Filesize

    30KB

    MD5

    94b1a1e9b0045f151cedf6958510d6c7

    SHA1

    76df1bdcfd48f68f220aabeb271a5eab7a2c26fc

    SHA256

    bbb42ed16a8afbb2b674bc15904316beb197824337380f5bb62df80bfd260ba3

    SHA512

    2f79760bb17bfa45f4b56d9c3cff838d37724bf4361dda145a91cd7901c5f06fe3d49a703e5d0a0a808ae9b731fcc1d348428510a48ea8648b865d31b6e4fde7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ZaeRrrJpKE.js
    Filesize

    23KB

    MD5

    4ebbd7d1c870fbf6e670a36ab9dcec6e

    SHA1

    6f68a0672c8573f4946229bb9a706762f2a524d1

    SHA256

    ada2453fd52dc145e52245bca674dcb87aafd2dd003e13e08842b5654e76bafb

    SHA512

    038aebf635746663dd605b7e8e583da6d5275adcaa9c1cd473a6313f0f861a41dcb398e0cb0522090f84f9e78b0e9d9136e8bac45f7b4722d279da61d1a136c8

    Download Submit

  • memory/612-147-0x0000000005050000-0x00000000050EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/612-143-0x0000000000000000-mapping.dmp

    Download

  • memory/612-145-0x0000000005560000-0x0000000005B04000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/612-146-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/612-148-0x0000000005F50000-0x0000000005FB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/612-149-0x00000000068B0000-0x0000000006900000-memory.dmp

    Filesize

    320KB

    Download

  • memory/612-150-0x0000000006A20000-0x0000000006AB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/612-151-0x0000000006D50000-0x0000000006D5A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1488-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4196-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4764-137-0x0000000000000000-mapping.dmp

    Download

  • memory/4764-142-0x0000000000440000-0x0000000000443000-memory.dmp

    Filesize

    12KB

    Download