vjw0rm | 401e18b7eeb6576132e22aca31032606a0b40c88f5a337ceb6d3f3dd45338e3c | Triage

Sharing

General

Target

401e18b7eeb6576132e22aca31032606a0b40c88f5a337ceb6d3f3dd45338e3c
Size

180KB
Sample

241121-yxqsjs1kek
MD5

3d4aaa3cf637f217a8ca3d66f4370e5d
SHA1

f3bdb1dfede1c0ab9f66198553639215c0c93c30
SHA256

401e18b7eeb6576132e22aca31032606a0b40c88f5a337ceb6d3f3dd45338e3c
SHA512

dccc39690f7660bc8353c47c503f39f285e5983021918bceda9260efedbb6f40561ae3d5fd4e46109baeac993f7761c8ef99bfe7085573014f69c8363c5b87c2
SSDEEP

3072:WDAqleYnMQPMPXdJiJGTXJX2Hi/662LTdl1XCAodK34xqQ+RGIu+6XddQeOw5s4L:1oMIM3iJaXJX2Hi0LEjg34xqQ+RjXoLT

Score

10^/10

vjw0rm xloader wqos discovery execution loader persistence rat trojan worm

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

wqos

Decoy

nobis.one

firecrestfineart.com

zhongqiaolw.com

healthcaremovement.com

amothersloveliberates.com

maskscafe.com

dkukkmk.icu

realmindofmitch.com

cranes-crossing.com

deeplyrootedplants.com

doodlesbakery.com

xiaomagu.com

lactase-enzym.com

comprartecnologia.com

making-my-new-normal.com

ruksamin.com

inforko.com

2mblueprint.com

pinkfang.com

100daysofbush.com

Targets

- Target
  
  Order 2021-600918.js
- Size
  
  311KB
- MD5
  
  f875ce20d9473d5dd74d2e0382fb32ba
- SHA1
  
  a9b75554d7cb9eae3f06c2b9f3b7cf60617b32d8
- SHA256
  
  b71e66c2f3dd88356df6c1bb0cab806156e91bed324c376b45cae58ce051ceff
- SHA512
  
  1eccb095f0bd41fb28879a726d8257b3a30cc487efa33fe24f2be2899596ee99bc54179d7003493aec50e55f6e6beac77616a9a8d9c3d80e4cb4a0244c33c4fe
- SSDEEP
  
  6144:X/Rfo2A0XbJtYp+JPNqRvhQoACsix01v8sPgMBZe9c/slHWiqIWvfQwc:mkFtYwPNqRGrCG9rYML/FjvI
Score

10^/10

vjw0rm xloader wqos discovery execution loader persistence rat trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Vjw0rm family
  vjw0rm
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmxloaderwqosdiscoveryexecutionloaderpersistencerattrojanworm

behavioral2

vjw0rmxloaderwqosdiscoveryexecutionloaderpersistencerattrojanworm