Extracted

Extracted

• • Target

    109a25a65dcb12435377b0f9f4159f4c.js

  • Size

    403KB

  • MD5

    109a25a65dcb12435377b0f9f4159f4c

  • SHA1

    1579ca605a83527a8befe3edeaff3d4feaa293d4

  • SHA256

    1deb0b650909a1e7895b5b8f315428ac66353161513e5de9261c7477c7bdc386

  • SHA512

    a268722c75135d95ffbbba8141154a571d10ac5662348e314f7dcc2c67f36d43c8a9a89a4787d9ddeb8960503d6a50ded415b95c795e8c6c426b9aa6f09e0e95

  • SSDEEP

    6144:Rcem0BIMD9F+gX64GsJI1s2eVawLGkIHEC6kOnylYYADJKV91XFzza:eeTIiGA6/sG11wLGdbAMV9a

  Score

  10^/10

  agentteslavjw0rmcollectionkeyloggerpersistencespywarestealertrojanworm

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2

• • Target

    31f0b844ee61cd2c8bbea74fc2b09ba6.doc

  • Size

    55KB

  • MD5

    31f0b844ee61cd2c8bbea74fc2b09ba6

  • SHA1

    c956ea668864997f9aeab19b839ce258a8a07307

  • SHA256

    124745723b74fc19237fb080c475b4dfb39cd722d2fa75da7da0b4f5c8f0e487

  • SHA512

    72238cf2c0fcf9180fa266b91219e52db208a767fcfca96cbf4b5d3ae63e303813f6faa76d6fb87ba7bceb96a2a7cad98153fc2b7becb96f73f1ce4d05fbbd9f

  • SSDEEP

    768:m8bEH73eGpTJ9Stu47xi41EyN4S6rz0VIZ:AzeAF9S4HP/we

  Score

  1^/10
  behavioral3behavioral4

• • Target

    641d80a70da56a8b33cbaff530cf6d2e.js

  • Size

    267KB

  • MD5

    641d80a70da56a8b33cbaff530cf6d2e

  • SHA1

    9dc182e6dd82a28c2546583bdd2c4d7a86f70aeb

  • SHA256

    bc6b3044943128e9f326b4c0bde41375596254ac5fb4f0e8c00c2eef33688247

  • SHA512

    f0de610da7b3be90db1c591a973fde1da4f6c2e6b27e388d3d7086e1ad975de1d9c645beff98c0b7f193438839d29a36c059f17fe874d7d4ce31feda39228481

  • SSDEEP

    3072:U/YirPgDvzlvtD636gUNgUmMuUbemcVGHQmC+DYUzSsqbDrCPx7Yvgke/ikIS363:JpvtD6DumBVGHbrSPrCpkvM3RlP6Rb

  Score

  10^/10

  vjw0rmpersistencetrojanworm

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral5behavioral6

• • Target

    8aa5dd5a8392d399292fd831f9ebc486.js

  • Size

    48KB

  • MD5

    8aa5dd5a8392d399292fd831f9ebc486

  • SHA1

    b7815f4df84394870dd7ca91c731fe606f726afd

  • SHA256

    754416cc0f441aef7bacb842368fd06744048c4219943d5bd093e2a7e17f9267

  • SHA512

    82b1f15b16f4f73947165084ecdcf9ef28ec02f29ceb86eb1ba831c9b2d561d72c311965532a363bd03cbcca0f8497acf8e9a3672c29a86cfe71ef1aa4e4e78a

  • SSDEEP

    768:9ELx847vqNaCQVUmobI2iSi5B7sqkl3enKxNH7sse:W4Q8xsB7sqkW8NHI5

  Score

  10^/10

  vjw0rmpersistencetrojanworm

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence
  behavioral7behavioral8

• • Target

    e79d5e1f9fff4bf994e5538522b24eb4.vbs

  • Size

    2.5MB

  • MD5

    e79d5e1f9fff4bf994e5538522b24eb4

  • SHA1

    b341ee89c031dd3aeba06c26557fb2a2b0a0b9d5

  • SHA256

    5de77f2f3ae3370ff275b412721dba5fb7d1b09ed16a219af4293af34f80d4c9

  • SHA512

    576c5a8803009d4ffc3d752b9414488043a95c6440c28d7de238346b6cad31e0160a54af7744e74de27f90ecb84d44da2a6744d6807ee19553504e44da5b245e

  • SSDEEP

    49152:ju+35qFXTaUXVhcZTYURtDPczv5uRSq/a:Y

  Score

  1^/10
  behavioral10behavioral9