Overview

overview

10

Static

static

1

BELL210 AN...III.js

windows7-x64

10

BELL210 AN...III.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BELL210 AND ALLOUETTE III.js

  • Size

    8.8MB

  • Sample

    230210-l69ksshf6t

  • MD5

    dfb37335684d81ea565f5281c9a799e4

  • SHA1

    ba58fc83b2a10b111c6db6ae31ee03cfd201b8fc

  • SHA256

    e5a333dae12ac8664bcc0bd12b991ec8095256e4aaf15f6afeb5b014e70146ed

  • SHA512

    e055886a61b86402a3ed136fa33bda70106b6904e4c2b4a6b1f685923c281f2f1a66ee1dea0f589f7b0de52498d40b56825a892c09effbbabd527bd72825433b

  • SSDEEP

    3072:AiePnmJZBc9hVWQlxlclBwd0PGGGUSJREQX4ULG9LbuewHVP3eJuR0RfuzkQYhsY:V

Score
10/10
snakekeyloggervjw0rmcollectionkeyloggerspywarestealertrojanworm

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5958393772:AAGyX-afxRqNUOVdPT528XtfkgekWKm1kNE/sendMessage?chat_id=1407227065

Targets

    • Target

      BELL210 AND ALLOUETTE III.js

    • Size

      8.8MB

    • MD5

      dfb37335684d81ea565f5281c9a799e4

    • SHA1

      ba58fc83b2a10b111c6db6ae31ee03cfd201b8fc

    • SHA256

      e5a333dae12ac8664bcc0bd12b991ec8095256e4aaf15f6afeb5b014e70146ed

    • SHA512

      e055886a61b86402a3ed136fa33bda70106b6904e4c2b4a6b1f685923c281f2f1a66ee1dea0f589f7b0de52498d40b56825a892c09effbbabd527bd72825433b

    • SSDEEP

      3072:AiePnmJZBc9hVWQlxlclBwd0PGGGUSJREQX4ULG9LbuewHVP3eJuR0RfuzkQYhsY:V

    Score
    10/10
    snakekeyloggervjw0rmkeyloggerstealertrojanwormcollectionspyware

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks