Overview

overview

10

Static

static

1

RFQ_Order ...767.js

windows7-x64

10

RFQ_Order ...767.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ_Order No 43456767.js

  • Size

    3.3MB

  • Sample

    230213-shwscsdd9z

  • MD5

    31402979093a6fa8d82437f4c00fdc1e

  • SHA1

    3677af496413e8f925d10e05845a949ad71484a5

  • SHA256

    e43cd083a5db05eb390580af3cc8bcf29561d080e07dfbcc66c2388b8b16c454

  • SHA512

    60d81c88ce2042b91fbf9420dcbef223e91d4064203e8e6bbcebf018b67fe3574f9a437305d145dabeea8dbabec8b1d9679fc56c0cdcdc51984b0a79ff175002

  • SSDEEP

    3072:vkbNExKp0pfpkVU5fzTyb+NuDj/yefrgd84HHM2PQOTWV/g8Ub34mOF3tgsfp9ka:vkbyHHRyV/g8U8mLsEdVARKNNKH

Score
10/10
snakekeyloggervjw0rmcollectionkeyloggerspywarestealertrojanworm

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    smtp.l3hharris.com
  • Port:
    587
  • Username:
    shaun.weeks@l3hharris.com
  • Password:
    ^JHAkmP2
C2

https://api.telegram.org/bot6151161707:AAGijmYc_-96Khu0IawsMazfJVDSOx_Z96g/sendMessage?chat_id=2006294595

Targets

    • Target

      RFQ_Order No 43456767.js

    • Size

      3.3MB

    • MD5

      31402979093a6fa8d82437f4c00fdc1e

    • SHA1

      3677af496413e8f925d10e05845a949ad71484a5

    • SHA256

      e43cd083a5db05eb390580af3cc8bcf29561d080e07dfbcc66c2388b8b16c454

    • SHA512

      60d81c88ce2042b91fbf9420dcbef223e91d4064203e8e6bbcebf018b67fe3574f9a437305d145dabeea8dbabec8b1d9679fc56c0cdcdc51984b0a79ff175002

    • SSDEEP

      3072:vkbNExKp0pfpkVU5fzTyb+NuDj/yefrgd84HHM2PQOTWV/g8Ub34mOF3tgsfp9ka:vkbyHHRyV/g8U8mLsEdVARKNNKH

    Score
    10/10
    snakekeyloggervjw0rmcollectionkeyloggerspywarestealertrojanworm

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks