General
-
Target
3.7z
-
Size
827KB
-
Sample
230329-m9x7lshf2y
-
MD5
301ea8b566d8c25915115705486dd24c
-
SHA1
8a9fb7b59ef7bf29cc62063781765bf314251709
-
SHA256
94e303522613e9d7826ae18fcc1a124b0293f21c4a44dc0da59e9ef50697fb5e
-
SHA512
b2c3fe65377b82c111cc498e8ae098f90e1115a484d38378da4e3ead98a4a94bb751d0c49350c73964871a4a11f1d974c8ae935ab69ec91581fb15f9274f26f5
-
SSDEEP
12288:0pIApc3WPRs7euTE7QwcBqicfLz5pH/r2hongAR1abtC9pbys+qJ/pBW1CUtv4:0dySsauToQSjLd1itCWsPt21CU6
Malware Config
Targets
-
-
Target
1.js
-
Size
4.5MB
-
MD5
9cf2c793029ae8dd84a387ba66e8c432
-
SHA1
48f6d8e5c4f55434a3d1fdc1531bd37fb6248d10
-
SHA256
d76d9fa7fa75a31b2a62804c8925a1c352f407831865bebc005b7f01676b5ac9
-
SHA512
33dd2fbc290c8feb31570e200f469729d5385e3f214edb4299b47bd841a0cd24a9ea211808e6c58cef63a812b27558852dbed2daf0cfac8953b3d028fd019848
-
SSDEEP
24576:8NLb0+2xYFsLoDw9svltZ7r55HNYYkY4WOxbZQCgvRo5PD1rMLSeGU0pOlBY9Pcw:3ueQa
Score10/10-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
2.js
-
Size
6KB
-
MD5
a06abd9207494264539c74e0488bd764
-
SHA1
2c41cbed0be158952264cd403424bbd8a6105861
-
SHA256
7423bcf31edecb0625e2606f5873fc5bb84cfbfc89fc8549c5772525b83076c5
-
SHA512
9b39b09523073c5872ec84612b853c203caf7f82f7625f7420d9f2a694c80e007532949ebe919742825d3a4c5a817c7fc2195cde2d639e5e0c9fd1f17789b30e
-
SSDEEP
192:iZRaapRYFDdPa+4sUsuUIu3Qq//1e1EiRW14xl8:iZEDha+4M/kl6Z
Score8/10-
Blocklisted process makes network request
-
-
-
Target
3.bat
-
Size
145KB
-
MD5
476d87590230e420d07a4d6fd677bd1d
-
SHA1
29a2c881b58dd4d9ea40c2208952fdc39627265d
-
SHA256
b6ee5ced40c6a82853e8b5543e139254b0aa9c503b670943818b332297293dd2
-
SHA512
f2bad15633d8f8801eeb0843c9b7462480b8927014db4a0adc05f631a19039e6b15e63265d19eb624979b762fd1640435acffd65d34dd2b9ef219a0c7126edbc
-
SSDEEP
3072:lKEN79wvVZHRTlfG+7nxmiNQuJ7Mhs6gf/Ks+vCN/MG1XLfzz6PM:ld9w7HRT/7nhiu7ks6gfSsrN/nXjzz6U
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-