vjw0rm | a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce | Triage

Submit
Reports

Overview

overview

Static

static

Executed Contract.js

windows7-x64

Executed Contract.js

windows10-2004-x64

Sharing

General

Target

Executed Contract.js
Size

285KB
Sample

230202-nlldksfh83
MD5

eeacf758acc21133811bce63aa477ee7
SHA1

d2ed9bfbfb8dd47ac3120efc757f43adf3ce3dbf
SHA256

a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce
SHA512

fb97ce1cb831f48f5612976f8401d3eabd580ffb16375f24f53139cc3991a55028fe2a7668024c572b3a08f6e4ef4eca55bca974e07223e5b28901e650ff78b1
SSDEEP

6144:7DrOg9pEJX1WPNSrV8iLgENxGVc+2dfpMAZL6sXZ7lorHawkkt:7DrOrJXAPGZxGVsl6mlsNt

Score

10^/10

vjw0rm wshrat collection persistence spyware stealer trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

Executed Contract.js

Resource

win7-20220812-en

vjw0rm wshrat collection persistence spyware stealer trojan worm

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Executed Contract.js

Resource

win10v2004-20220812-en

vjw0rm wshrat collection persistence spyware stealer trojan worm

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

wshrat

C2

http://auto.stevenpartners.com:23015

Targets

- Target
  
  Executed Contract.js
- Size
  
  285KB
- MD5
  
  eeacf758acc21133811bce63aa477ee7
- SHA1
  
  d2ed9bfbfb8dd47ac3120efc757f43adf3ce3dbf
- SHA256
  
  a7ff79a11115a66f2450844c4b115b799d388d7157ee9d2df27286c0e5acf7ce
- SHA512
  
  fb97ce1cb831f48f5612976f8401d3eabd580ffb16375f24f53139cc3991a55028fe2a7668024c572b3a08f6e4ef4eca55bca974e07223e5b28901e650ff78b1
- SSDEEP
  
  6144:7DrOg9pEJX1WPNSrV8iLgENxGVc+2dfpMAZL6sXZ7lorHawkkt:7DrOrJXAPGZxGVsl6mlsNt
Score

10^/10

vjw0rm wshrat collection persistence spyware stealer trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmwshratcollectionpersistencespywarestealertrojanworm

behavioral2

vjw0rmwshratcollectionpersistencespywarestealertrojanworm

© 2018-2024

Terms | Privacy