vjw0rm | 5d2be550db7b54a3bb218ccc00904299863d2acc71095fc28d470488b0f1aca0 | Triage

Sharing

General

Target

5d2be550db7b54a3bb218ccc00904299863d2acc71095fc28d470488b0f1aca0
Size

194KB
Sample

241121-z72s8ssmgr
MD5

9dc0365f7e8d437f9d85797c02e65370
SHA1

4a78a78b00f5e5054051ed5e582d7fdb639d96c8
SHA256

5d2be550db7b54a3bb218ccc00904299863d2acc71095fc28d470488b0f1aca0
SHA512

095642c3e10a9b1251c83102110d814db7914f740a86b1bea74e5a817af2ff582215a2223d951cf193f9c870e947a89567f70bfe01a88eb3828749c98aabcfa1
SSDEEP

3072:oWAObH4JhkLh/jdD8GDmh2MCGki7LpAzg6AZowGc+d6QLNWUFo8Sf/9b6mdrX:ppShk5jdwGKh2MPfUgX7ZQLzkBrX

Score

10^/10

vjw0rm xloader pzi0 discovery execution loader persistence rat trojan worm

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pzi0

Decoy

laylmodest.com

woruke.club

metaverseslots.net

syscogent.net

aluxxenterprise.com

lm-solar.com

lightempirestore.com

witcheboutique.com

hometech-bosch.xyz

expert-netcad.com

poteconomist.com

mycousinsfriend.biz

shineveranda.com

collegedictionary.cloud

zqlidexx.com

businessesopportunity.com

2utalahs4.com

participatetn.info

dare2ownit.com

varser.com

Targets

- Target
  
  d2d96154024ca3137cd2e84d367053ea8e0de0459a781356577a3ba775c1fb8e
- Size
  
  354KB
- MD5
  
  4e5cc8fddecae16e747e6b1a48b31cd5
- SHA1
  
  9195d4069bc82b38261bb9ec58333921e7164eac
- SHA256
  
  d2d96154024ca3137cd2e84d367053ea8e0de0459a781356577a3ba775c1fb8e
- SHA512
  
  fa27ad2184bc22d0d7784e1ecffd049266c43b196635373e73280d71e244061687113143361e8466f29f489259afd0b18e8c50ffb37007cc199fea0e28475ad1
- SSDEEP
  
  6144:MFy6iTj2GQabp6O5GiyPXg6FRC5epPNmyJn6kiMJ+ME5fSKO37S:MFy6NagigXg6FR7NmyJGMfExSPG
Score

10^/10

vjw0rm xloader pzi0 discovery execution loader persistence rat trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Vjw0rm family
  vjw0rm
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmxloaderpzi0discoveryexecutionloaderpersistencerattrojanworm

behavioral2

vjw0rmxloaderpzi0discoveryexecutionloaderpersistencerattrojanworm