vjw0rm | 3b9f482300a46bbc1de6579f601e7c77d9c20392dca53733f2c21ba0c2888a06 | Triage

Sharing

General

Target

e1c35fbb0a2f810800e6619448f0fec6
Size

313KB
Sample

240327-qkr6vach77
MD5

e1c35fbb0a2f810800e6619448f0fec6
SHA1

8a84a677134b31b93434e8aedc9cea27e91f6058
SHA256

3b9f482300a46bbc1de6579f601e7c77d9c20392dca53733f2c21ba0c2888a06
SHA512

1aafd75162a0857a7eea4551b581e40bd1885556da0bb0ae43af35b6810b56039d83d1b2845e7b840bf4855137fd7886dcf89eddbc5bbdf5a8eb76c4d2031c27
SSDEEP

6144:tREDKt1MlepfYOzkRElvXPgBLUWA2aY1yWjmWDinsxu9c34B:tRKTqzARElPPgBL3AuyWjzK9cIB

Score

10^/10

vjw0rm xloader o7ht loader persistence rat trojan worm

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

o7ht

Decoy

crs-onlineshop.com

desertrosecamping.com

frequencyclips.com

andrewhair.com

leuswim.com

revenuecat.net

payplticket593178197.info

replacementrs.com

flnativemilkmilkweed.com

rintashop.com

shonan5656.com

lexingtonclarke.com

alfapvp2020.xyz

buywetsuitsonline.com

gomihuomh.com

rabo-betaling.xyz

thyhotyoga.com

careplayground.com

bitlineage.com

5923699.com

Targets

- Target
  
  e1c35fbb0a2f810800e6619448f0fec6
- Size
  
  313KB
- MD5
  
  e1c35fbb0a2f810800e6619448f0fec6
- SHA1
  
  8a84a677134b31b93434e8aedc9cea27e91f6058
- SHA256
  
  3b9f482300a46bbc1de6579f601e7c77d9c20392dca53733f2c21ba0c2888a06
- SHA512
  
  1aafd75162a0857a7eea4551b581e40bd1885556da0bb0ae43af35b6810b56039d83d1b2845e7b840bf4855137fd7886dcf89eddbc5bbdf5a8eb76c4d2031c27
- SSDEEP
  
  6144:tREDKt1MlepfYOzkRElvXPgBLUWA2aY1yWjmWDinsxu9c34B:tRKTqzARElPPgBL3AuyWjzK9cIB
Score

10^/10

vjw0rm xloader o7ht loader persistence rat trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmxloadero7htloaderpersistencerattrojanworm

behavioral2

vjw0rmxloadero7htloaderpersistencerattrojanworm