MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cc4d6c30090fac70487754d80d491a446e56ae9e22162740f91157615ad00a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cc4d6c30090fac70487754d80d491a446e56ae9e22162740f91157615ad00a9
SHA3-384 hash: 2b0108b4d06ea38c0a25b54037022c2928a5178aa792bba27aebde3e74223a30734f67d6334af2d85f5743545dbd2ccb
SHA1 hash: c962b9b13a1deca7ad1be5cc7602c92bab676cc8
MD5 hash: 03ad40992141e6c10901095d2f9fbe0b
humanhash: cardinal-ten-william-vermont
File name:Purchasev0m20227974.js.pif.exe
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:1'548'931 bytes
First seen:2022-10-10 05:56:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:0AOcZ2i7uVKsdYHec9q3KQS4tPjMuSF/i4Kc+8oYLDdticTr+Mo5pemHI0Yuyqh:iHVKIYHXdPePouY/+cPoYimxo5EmHWqh
TLSH T165651203B79584B2D1723D315935E726697DBD310E24DA2EA3F498BE9A305C0A325FB3
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0d8ec9898f0d8aa (9 x Formbook, 6 x NanoCore, 3 x Vjw0rm)
Reporter abuse_ch
Tags:exe vjw0rm


Avatar
abuse_ch
Vjw0rm C2:
http://185.157.162.115:7974/Vre

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.157.162.115:7974/Vre https://threatfox.abuse.ch/ioc/872690/

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318134/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending an HTTP POST request
Creating a file
Launching a process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42140/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6343b42f1565eeb6424f3937/reports/ab9974ee-a32c-43b9-a10b-1abfb649ff04/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/276a8bcd-012b-499a-aff1-7c8a193c1417
Result
Threat name:
VjW0rm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086688
Signature
Antivirus detection for dropped file
Disables the Windows task manager (taskmgr)
Drops script or batch files to the startup folder
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: VjW0rm
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Yara detected AntiVM autoit script
Yara detected VjW0rm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 719245 Sample: Purchasev0m20227974.js.pif.exe Startdate: 10/10/2022 Architecture: WINDOWS Score: 100 53 geoplugin.net 2->53 55 Snort IDS alert for network traffic 2->55 57 Antivirus detection for dropped file 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 6 other signatures 2->61 11 Purchasev0m20227974.js.pif.exe 3 33 2->11         started        14 wscript.exe 12 2->14         started        signatures3 process4 file5 47 C:\Users\user\AppData\Local\...\nasjfqvw.exe, PE32 11->47 dropped 49 C:\Users\user\AppData\Local\...\v0m7974.js, ASCII 11->49 dropped 17 wscript.exe 1 13 11->17         started        22 wscript.exe 1 11->22         started        69 System process connects to network (likely due to code injection or exploit) 14->69 71 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 14->71 signatures6 process7 dnsIp8 51 185.157.162.115, 2404, 49703, 49704 OBE-EUROPEObenetworkEuropeSE Sweden 17->51 45 C:\Users\user\AppData\Roaming\...\v0m7974.js, ASCII 17->45 dropped 63 Drops script or batch files to the startup folder 17->63 65 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 17->65 24 nasjfqvw.exe 2 4 22->24         started        file9 signatures10 process11 signatures12 67 Disables the Windows task manager (taskmgr) 24->67 27 wscript.exe 24->27         started        29 mshta.exe 24->29         started        31 mshta.exe 24->31         started        33 5 other processes 24->33 process13 process14 35 nasjfqvw.exe 27->35         started        process15 37 mshta.exe 35->37         started        39 mshta.exe 35->39         started        41 mshta.exe 35->41         started        43 3 other processes 35->43
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5cc4d6c30090fac70487754d80d491a446e56ae9e22162740f91157615ad00a9/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 02:55:16 UTC
File Type:
PE (Exe)
Extracted files:
99
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltcnnqyasd5mobehovgybverurdok2xj4iqwe5apsekxmfnnacuq._file
Verdict:
malicious
Result
Malware family:
vjw0rm
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:vjw0rm botnet:explorer wd evasion persistence rat trojan worm
Link:
https://tria.ge/reports/221010-gnk29sbaaj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Disables Task Manager via registry modification
Executes dropped EXE
Remcos
Vjw0rm
Malware Config
C2 Extraction:
185.157.162.115:2404
http://185.157.162.115:7974
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dae6e486-135c-476f-add1-ef4aa8653635
Unpacked files
SH256 hash:
79931eaada9c068b1dfb393f4541f0dabdc657a8ad6fd68fc8bbf3cac6b412f4
MD5 hash:
de7604b8137fad5520ec7ce4a8b27a7c
SHA1 hash:
89f3e189cedaa5527f25383c4cad8adaf876aedc
Link:
https://www.unpac.me/results/61c32fd5-f40a-4fc5-912b-1e80ba24f77f/
SH256 hash:
72bc7be4b6cb03cf69d419f17d2c6037e66ac14a5cec9942aa376897ece03c9b
MD5 hash:
99d8b434a310907f00a0059d3eedb6bc
SHA1 hash:
64339a698f62faec72285f9dee43319408412b3a
Link:
https://www.unpac.me/results/61c32fd5-f40a-4fc5-912b-1e80ba24f77f/
SH256 hash:
5cc4d6c30090fac70487754d80d491a446e56ae9e22162740f91157615ad00a9
MD5 hash:
03ad40992141e6c10901095d2f9fbe0b
SHA1 hash:
c962b9b13a1deca7ad1be5cc7602c92bab676cc8
Link:
https://www.unpac.me/results/61c32fd5-f40a-4fc5-912b-1e80ba24f77f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5cc4d6c30090fac70487754d80d491a446e56ae9e22162740f91157615ad00a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318134/

Comments