Overview

overview

10

Static

static

10

$RECYCLE.B...3D.exe

windows7-x64

$RECYCLE.B...3D.exe

windows10-2004-x64

$RECYCLE.B...L8H.js

windows7-x64

1

$RECYCLE.B...L8H.js

windows10-2004-x64

1

$RECYCLE.B...PRW.js

windows7-x64

1

$RECYCLE.B...PRW.js

windows10-2004-x64

1

$RECYCLE.B...R2U.js

windows7-x64

1

$RECYCLE.B...R2U.js

windows10-2004-x64

1

$RECYCLE.B...VCX.js

windows7-x64

1

$RECYCLE.B...VCX.js

windows10-2004-x64

1

$RECYCLE.B...3D.exe

windows7-x64

10

$RECYCLE.B...3D.exe

windows10-2004-x64

10

$RECYCLE.B...L8H.js

windows7-x64

10

$RECYCLE.B...L8H.js

windows10-2004-x64

10

$RECYCLE.B...PRW.js

windows7-x64

10

$RECYCLE.B...PRW.js

windows10-2004-x64

10

$RECYCLE.B...R2U.js

windows7-x64

10

$RECYCLE.B...R2U.js

windows10-2004-x64

10

$RECYCLE.B...VCX.js

windows7-x64

10

$RECYCLE.B...VCX.js

windows10-2004-x64

10

Tb2_paymen...df.vbs

windows7-x64

8

Tb2_paymen...df.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    15993026ade985e2d41f8f8d6d60179901f2d5be4515870c1c4030f78466dbb0

  • Size

    295KB

  • Sample

    230323-rr6hgsgc56

  • MD5

    dd21f8249db2858aa4c85c12e71b55cc

  • SHA1

    b9fe37ee982168ef16639bb1cc65ee4137fe7c9f

  • SHA256

    15993026ade985e2d41f8f8d6d60179901f2d5be4515870c1c4030f78466dbb0

  • SHA512

    e08ef8f15a9ecbf674c0db5f2a956e39e9f894cd55388a6c8f2cc94dedc6296da6c19e22a282c9ec96b1be3289faf425310dcb30d18b4b2ac763b3537946675b

  • SSDEEP

    1536:FW3JRZLzBJ5wGq4up0KjIko1EnTJgOiAOqZ8RzrWWmBSwGjols/ZL4vUNr:FWVzBJ5wGqpjIko1EVzGlfwGnJXr

Score
10/10
guloaderpurecryptervjw0rmdownloaderloaderpersistencetrojanworm

Malware Config

Extracted

Family

purecrypter

C2

https://ashaambulanceservice.com/Vuzbri.bmp

Extracted

Family

vjw0rm

C2

http://js9400.duckdns.org:9400

http://js9300.duckdns.org:9300

Targets

    • Target

      $RECYCLE.BIN/$I40P23D.exe

    • Size

      544B

    • MD5

      7e08962bf47aae3acd8a9633b0a62e19

    • SHA1

      c4e224381213d3454fe45cb84a1c3211be30272c

    • SHA256

      ee89ffc4cb01b0323c56ed7d190906501f4aabab067a07aac67bad2e0559929c

    • SHA512

      d78b50c484609bb32d701d606e6b58dc606b70d8c562af7cdc26cda2803684800be7f18384551b447847645fbc21d3c49eb5fa24e136fc6fc4acab538babd7d2

    Score
    1/10
    behavioral1behavioral2

    • Target

      $RECYCLE.BIN/$I4FIL8H.js

    • Size

      544B

    • MD5

      3bb5ddbbc15c65e6d7af1c41a877bf2f

    • SHA1

      c9411803abd57b1c62936f7a973fde45b792a0f9

    • SHA256

      73cfb6a30179d5759f151505756edd832bdfe6675424cdfef2d0d95b9265fe14

    • SHA512

      6b3eacbd3de4c5ec44852cef7349062d206f3af35f6f315a9e57af6023ac3cd563bd4bfc3f1ce4a1ca69e394e2fd33bec7a7185bac289be7ac713bc24a497686

    Score
    1/10
    behavioral3behavioral4

    • Target

      $RECYCLE.BIN/$I5VEPRW.js

    • Size

      544B

    • MD5

      7fcacbf214c7091a4e52f42ba83ca75a

    • SHA1

      93e6071f014cd5f47dbc0e52c93aadcde29e1457

    • SHA256

      1704bea192c12c3d81474e73f5d0a2cc98cb57e9440e3f033862bd85f5980f85

    • SHA512

      bae645c2ac3758975d468413e430c22c8c9803d90b65ea2d593ab542f901ad771bec89a6eef87103b28105a38addfa97cabb794f488caeb6024542d5c5a8f27f

    Score
    1/10
    behavioral5behavioral6

    • Target

      $RECYCLE.BIN/$IMH8R2U.js

    • Size

      544B

    • MD5

      2c4439dfc4bfb10e8bf9eb4c2932e067

    • SHA1

      925eba054aae34b564c9f70f6813b70eedc744f8

    • SHA256

      161b64c65461b1aa5fbbdfb7d465686ba02b4b3d89a19aaafb2f1a0f4f72597a

    • SHA512

      64f02a63b754586e03a27547f4a2c468307318768bfb24bbb7ad3e02fc726c9e057e1770e8f84b849aad93f9751a655082129bde03a1c45afb6edf495f588501

    Score
    1/10
    behavioral7behavioral8

    • Target

      $RECYCLE.BIN/$INQFVCX.js

    • Size

      544B

    • MD5

      785d7495c40c57ff355bdd40fac8cf12

    • SHA1

      01314e40ff1b18903b99dfd8ece5fffdb2483cfd

    • SHA256

      16c7570294e81d5aeced887427d167f369be91a4fc9b099eef1c16023daa8e69

    • SHA512

      0f093fc1b2a4c480b8f14ac9172f4401804d779255b6045266761023698c8d6aa3f895aaaf3d632c813d3cab5ee5b83f4653e3967aece324243e846c7252db9b

    Score
    1/10
    behavioral10behavioral9

    • Target

      $RECYCLE.BIN/$R40P23D.exe

    • Size

      92KB

    • MD5

      d40448b5ac56cf8f2a4bbea8d22982c2

    • SHA1

      ad405a4f3ea892a80b696f7460de70bbb6b082f8

    • SHA256

      d97bdbb4ad01f8873a141e7544160d070469b0c6865b823fec42184315b923cc

    • SHA512

      be9b6ffda6ebee70baa79bab24129150895bf5d06f0d634a1099e129bd63396c2f73e1c82115b6ca37df5aa5c406e3d1df2932e9a8dbeb927aacda727675082d

    • SSDEEP

      384:IiZHmh0O/Lrw+Ke8QEoDeJisnDPnFw5sglcMhQM0u+GrCPHFYgMSXA:IgGhHzr8e8B1PnFusmcDCXrCPqEXA

    Score
    10/10
    purecrypterdownloaderloader
    behavioral11behavioral12

    • Target

      $RECYCLE.BIN/$R4FIL8H.js

    • Size

      9.0MB

    • MD5

      5d97ab7f843e6c18b96c4e34bd65ff09

    • SHA1

      9ad9f18b92f57a3e1536a552dc3e4081b34169e2

    • SHA256

      eb841738aeb5f98695da31d3ebe1bf241f8411283373fd6e99788fc52903b1be

    • SHA512

      116897043738962c9e059d4701e01b3f36987100a00951ef020c2481dc100a3a59eaf106e5c96b042019dceb53b3a143454c6aaa861262bf2d24c45651699e81

    • SSDEEP

      96:kZH1uyAXIXGou2lcJc9l2JEuft2v2wz2zadZxOBeFcr3vVkcZBIKkcZBe4KcZUCS:kZVhpngJpG2wz2xkFm3vVEKZpFEm

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral13behavioral14

    • Target

      $RECYCLE.BIN/$R5VEPRW.js

    • Size

      97KB

    • MD5

      7afbb2051c1ba1c1e88c499c5e11636a

    • SHA1

      4b2a14b3ca310b1f39959c130ae7b72a03078873

    • SHA256

      74fc83dc153086db0329b982e73e8bee4b652d1265c8185b0b4374898a112d06

    • SHA512

      c506d2d13383948d9acfafdc152f81326fc73381530fbb019794f9bc2b7733b3b455f6eddc92d597614f0f6d641f391d737f93f809486707cb1d8f84378309ec

    • SSDEEP

      384:chWWz5Kfy24jHueR45qWWxWBWHKSqmqR4G:XYG

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral15behavioral16

    • Target

      $RECYCLE.BIN/$RMH8R2U.js

    • Size

      97KB

    • MD5

      7aab68aeb388528f9e3448ea0dce56d7

    • SHA1

      07d648c7247e2db064b7ba1b1b21722c475e3396

    • SHA256

      610eb77c6ef6c0767a1b8d0157b39ea5105697ffdf31d2afa5963e4da8cd0cb8

    • SHA512

      1f59fd8a717ff3bf9f57452440a6e08907cd9c32050aa399ab0a591c6109486410e74d21d5ee41355b4b041f4dd88c679d8077b611cfaea9c597aaa67ed0e8b4

    • SSDEEP

      384:chWz5Kfy24jHueR45qWWxWBWHKSqmqR4G:OYG

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral17behavioral18

    • Target

      $RECYCLE.BIN/$RNQFVCX.js

    • Size

      2.0MB

    • MD5

      f8a9117d4c4217fd4cbab1da6d3359b6

    • SHA1

      f3ea387aeaf9e587d135d797e0468904328c291a

    • SHA256

      db99c6255bfd1d06c6a103e4602715c069039c140389d33d2909912e1b58158d

    • SHA512

      232eb1d882feac675994d192436254521b42a2b1d2ae32f6c5cd8618ae29d619a26ad9672f6644a62abfd484a1b0e76f69003d40f79a14cc200be4b124d0bea6

    • SSDEEP

      192:aZVhB3qe3Ju2l2ZUCz1ZNWDl01tHY8T0:cVHaLRZcmXpg

    Score
    10/10
    vjw0rmpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral19behavioral20

    • Target

      Tb2_payment_receipt_pdf.vbs

    • Size

      304.0MB

    • MD5

      7f50ce31436aa43c5f650c5ba244606e

    • SHA1

      f07844cdad4a0c1286f38312169ac38e497662e5

    • SHA256

      4414b7a789914f859fc68e5a6e984fed0d4ee0068c1f2432a29d838efbf04179

    • SHA512

      949b2ff3e4ade813a6efd94aef292d420d5ae5582c3bf9521127829f99c59271f4758f31b2d4df7fd4288472cb561e4f30e115f5b0041e972848cfc816e3de3d

    • SSDEEP

      768:Zg+nD+EDiLl7higyKeOPqK8ntFYCTMMiKc5mKm2:ZgGFol0gPqK8fvTZcZb

    Score
    10/10
    persistenceguloaderdownloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Modifies Installed Components in the registry

      persistence

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

6
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

10
T1082

Query Registry

7
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

purecrypter
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

purecrypterdownloaderloader
Score
10/10

behavioral12

purecrypterdownloaderloader
Score
10/10

behavioral13

vjw0rmpersistencetrojanworm
Score
10/10

behavioral14

vjw0rmpersistencetrojanworm
Score
10/10

behavioral15

vjw0rmpersistencetrojanworm
Score
10/10

behavioral16

vjw0rmpersistencetrojanworm
Score
10/10

behavioral17

vjw0rmpersistencetrojanworm
Score
10/10

behavioral18

vjw0rmpersistencetrojanworm
Score
10/10

behavioral19

vjw0rmpersistencetrojanworm
Score
10/10

behavioral20

vjw0rmpersistencetrojanworm
Score
10/10

behavioral21

persistence
Score
8/10

behavioral22

guloaderdownloaderpersistence
Score
10/10