Overview

overview

10

Static

static

1

BELL210 AN...III.js

windows7-x64

10

BELL210 AN...III.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BELL210 AND ALLOUETTE III.zip

  • Size

    189KB

  • Sample

    230210-q89e2abh5w

  • MD5

    bef80f74226735b204eec8d9396e974c

  • SHA1

    c3478e49536adaba5209ea824c68b80c8ffd9263

  • SHA256

    b0d13254f457837743f01ea116e6c8086f418221fe5619d9baf5db806fbe54b3

  • SHA512

    aaf5638b96c109da2b205d995770112098cb20d894676e08ddff77069056a827d97f751195271a83abde795079543a7f86724e4dc40f07767ab2f98f1be25174

  • SSDEEP

    3072:IMufhSkW1XrYOU9aeR22tlG6oH3MpknyA+Kqp3qvMyVHe05n7dTulUNoKdf/O1gt:WhSkWiOU4eR296oeyyAt+6MyV+6nhuls

Score
10/10
snakekeyloggervjw0rmcollectionkeyloggerspywarestealertrojanworm

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5958393772:AAGyX-afxRqNUOVdPT528XtfkgekWKm1kNE/sendMessage?chat_id=1407227065

Targets

    • Target

      BELL210 AND ALLOUETTE III.js

    • Size

      8.8MB

    • MD5

      dfb37335684d81ea565f5281c9a799e4

    • SHA1

      ba58fc83b2a10b111c6db6ae31ee03cfd201b8fc

    • SHA256

      e5a333dae12ac8664bcc0bd12b991ec8095256e4aaf15f6afeb5b014e70146ed

    • SHA512

      e055886a61b86402a3ed136fa33bda70106b6904e4c2b4a6b1f685923c281f2f1a66ee1dea0f589f7b0de52498d40b56825a892c09effbbabd527bd72825433b

    • SSDEEP

      3072:AiePnmJZBc9hVWQlxlclBwd0PGGGUSJREQX4ULG9LbuewHVP3eJuR0RfuzkQYhsY:V

    Score
    10/10
    snakekeyloggervjw0rmkeyloggerstealertrojanwormcollectionspyware

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks