vjw0rm | fe18a09be16b7490b0ee0f7445b9fe20d2b5ec602aacd06fc8a86c087252615c | Triage

Resubmissions

30/11/2022, 08:59

221130-kx75yaeh93 10

29/11/2022, 10:48

221129-mwllnaeg4s 3

29/11/2022, 09:32

221129-lh3gksff94 10

Sharing

Copy URL Twitter E-mail

General

Target

8487327083.zip
Size

169KB
Sample

221130-kx75yaeh93
MD5

58116e27b75ed0549ab87f6216e2a953
SHA1

2354de0ed15818a5999ff2662e06d3979797b17c
SHA256

fe18a09be16b7490b0ee0f7445b9fe20d2b5ec602aacd06fc8a86c087252615c
SHA512

97b45073ab6124b137ae58af761a8635c097aa07a0943542d14e63e7c559b8fe71b57ab2d8d0b62eaa1c92c1ecf0ae587f1d7f750514de8829cdb6a548f938ba
SSDEEP

3072:gJiFwcQca2aJqz9uac2u4HHmjXq3e8FJRA9JZGCz3Nuhx3vUW838N3pdQzY9NPn:g4wJ2/uqni63RJRSrGY38/UW83Ap8cZ

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Extracted

Family

wshrat

C2

http://grace-fax.home-webserver.de:24150

Targets

- Target
  
  8487327083.zip
- Size
  
  169KB
- MD5
  
  58116e27b75ed0549ab87f6216e2a953
- SHA1
  
  2354de0ed15818a5999ff2662e06d3979797b17c
- SHA256
  
  fe18a09be16b7490b0ee0f7445b9fe20d2b5ec602aacd06fc8a86c087252615c
- SHA512
  
  97b45073ab6124b137ae58af761a8635c097aa07a0943542d14e63e7c559b8fe71b57ab2d8d0b62eaa1c92c1ecf0ae587f1d7f750514de8829cdb6a548f938ba
- SSDEEP
  
  3072:gJiFwcQca2aJqz9uac2u4HHmjXq3e8FJRA9JZGCz3Nuhx3vUW838N3pdQzY9NPn:g4wJ2/uqni63RJRSrGY38/UW83Ap8cZ
Score

1^/10
behavioral1
- Target
  
  Order-Inquiry-020-10-28-22.js
- Size
  
  257KB
- MD5
  
  144bc81f1a91e281159dd7e51ebe682c
- SHA1
  
  3eeaa18af60d63898787411867c0cf26e760658e
- SHA256
  
  ebb80911d7d1b734fdafbf50f11b3cdf127a7a94a21201984d47b0bb6d47ca33
- SHA512
  
  a19701cb690b457acc9925a31e44c6f5d0c09f5bb939a7158d5e29f3d2757c252766271f9e5a5886550f4eed29c133c3b12d4313d4192198994eaf0012f6bbe2
- SSDEEP
  
  3072:nzsF5ejqKQKWGeIzuyR/I2MWJcsVfeaWYRfzbpdCltDvuLTrPFztzI0utitb0k2j:4FhGruytJQYRfRguLpt0ZtcVsCV+6E
Score

10^/10

vjw0rm wshrat persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

vjw0rmwshratpersistencetrojanworm