Overview

overview

10

Static

static

7

9e98c04e77...21d.js

windows7-x64

10

9e98c04e77...21d.js

windows10-2004-x64

10

c72d738747...8bf.js

windows7-x64

10

c72d738747...8bf.js

windows10-2004-x64

10

cc03a8f943...70.exe

windows7-x64

10

cc03a8f943...70.exe

windows10-2004-x64

1

eb6af295c3...cb.exe

windows7-x64

7

eb6af295c3...cb.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloads.rar

  • Size

    1.4MB

  • Sample

    230325-k9fw8aca64

  • MD5

    8e4150faf7e109bb27bae81ee77e2593

  • SHA1

    6544b682bb420ae6a0922906b90c0fe2851650e3

  • SHA256

    453b93a211b664c8be6ad43c584a9c4e3781ea9e51c3d9d598b4cd9719fcb7c6

  • SHA512

    94ba63c6da0825b75ec75645b1a897daeee1beab171d55c9eed45f072e4333d777156509794b1d6425fcfdeda789a2c13fb22cd13dfa737e36c3694f949aba3c

  • SSDEEP

    24576:oDADPbxO1WFjaO9dqSF0oalGCbkXECIdxGMvMIYtbZ57gKrlPT+:oDOPbxO1WFuO9NuGCgXKFMvp7ZBT+

Score
10/10
asyncratvjw0rmwshratdefaultpersistencerattrojanupxworm

Malware Config

Extracted

Family

wshrat

C2

http://smile4u.webredirect.org:4242

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

120.78.151.171:6658

Mutex

bbbanchun

Attributes
  • delay

    10

  • install

    false

  • install_file

    flash.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      9e98c04e777e77b1498f4b3447b6221d.js.vir

    • Size

      3.5MB

    • MD5

      9e98c04e777e77b1498f4b3447b6221d

    • SHA1

      00a23c268459816d8fe5d46bda86a36f06e0c374

    • SHA256

      39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3

    • SHA512

      e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5

    • SSDEEP

      24576:mOEJFi25vJDMJ7Ukw2QaaRn1xWl1TUPZAO2OR1X1S8DlF5y0d5tQtiTWyXE7D/Ag:6ZMf

    Score
    10/10
    vjw0rmwshratpersistencetrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      c72d738747f68d4f8d9e9368e47928bf.js.vir

    • Size

      9.2MB

    • MD5

      c72d738747f68d4f8d9e9368e47928bf

    • SHA1

      00b523b2e3ab0f2bfd7d4aabf3b1c33ae390c585

    • SHA256

      06b94b3ec86bd4a61888848f379808954de1ff2a1fe471edcfa312f5e9ba2ab5

    • SHA512

      1a01baa0c813b928cf5dfe456f76acdcf9be0e0df8a6131e248f9aa5456c65a69cb9809efe56afc4db32cfeeb93ca42e3319f1e53689ba4ed23b77911b802c61

    • SSDEEP

      3072:gNK8RjR/R8x/xqm2O1IrWa7Mjv/GnOv3GmPLjCKKIz9vs2J96i/OBDVOdz83Pm7+:I

    Score
    10/10
    vjw0rmtrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    behavioral3behavioral4

    • Target

      cc03a8f9433b57e4ea8a87544dde5470.exe.vir

    • Size

      35KB

    • MD5

      cc03a8f9433b57e4ea8a87544dde5470

    • SHA1

      d44e2e33aa3f7780db64ece0483958b87b063a75

    • SHA256

      8688a4bb898f17009992f83072b5c5a3a60e9e552a95002470e1c2f885563fbd

    • SHA512

      50ac102923a0eb17f27c24ca1528fd03258eef549448bfe6e4b7d91c57a2e0a2b4c8eb2a7018afca875f547b9d12c2d5e046755edef55301be9dcd6632d5fdce

    • SSDEEP

      768:tTRSgQ0ZZeIYVudX6nHs+Y5nXq0AZ7yx6tWLrx7GR4:t1peKT5Xq0s6GWLr9q4

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat
    behavioral5behavioral6

    • Target

      eb6af295c348f16f2361cbe96fdc3bcb.exe.vir

    • Size

      549KB

    • MD5

      eb6af295c348f16f2361cbe96fdc3bcb

    • SHA1

      70a3ab96557fb23d306e1cf4ad809e88866b2051

    • SHA256

      b6e51307f7707d56e7b698aa432f429b1ea504a71fa406e8e4276efa8d62aeeb

    • SHA512

      b2681641d6ea34f12b2b79dcd81f0c22109f66d162f63787c3ec58eaa4af33f202b7fa19807b3414b55546e06c1230ffc8367e51f1d39f9f96cc63e07f06de3c

    • SSDEEP

      12288:wO/lcNkfv7X2HhTUok0e7VJgGRGLKjrd+nvjIiykW43gpz4zBEQ1Kcoeli9ibHp:wKlcNGvkWXgGRGL6hS933gx4uBcPz

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks