Extracted

Extracted

Extracted

• • Target

    9b0b93c3f2b8fee5d774436447b4990f.js.vir

  • Size

    37KB

  • MD5

    aa015cde14808315df0e50fc98fa8ca1

  • SHA1

    499fd482cd7bad8d905564983f07e7ae822ea189

  • SHA256

    75c5452fe55b5b42e88f7e22cf3d54665f639f721b55dbafa78b43c644f1b598

  • SHA512

    08af4131b97d2177723bbc23981286f6f22e780db6d6f0e8894048fc971eb3cee3109b1daebe31107c2119d48ba0423625e6fbce180e6b9bc1fecdc56bba6278

  • SSDEEP

    768:NDVC12hDVX/opI7vr3t+borH2OAH1XJLYlCH56v+1KnLmVk:dVCUhRWI7vjtsorWOAH1XJsCH56vwmLz

  Score

  10^/10

  agentteslavjw0rmwshratcollectionkeyloggerpersistencespywarestealertrojanworm

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm

  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2