MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 007ee67c4bec255a19ab2b6fa0f159e9d9636c74dde34f9ddbf3b45ced74cebe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 007ee67c4bec255a19ab2b6fa0f159e9d9636c74dde34f9ddbf3b45ced74cebe
SHA3-384 hash: 79bd334551da7ae3213cb59df9fc80b32697dc777fb3d581812d31f879c030f88e50b8197deeb3c5be3530114f1d6100
SHA1 hash: c5392f8e367924c2dacb646c6e3c1ea393b317a5
MD5 hash: 93ede5d435cb9b8f16263bbafab6a449
humanhash: eighteen-blossom-foxtrot-cold
File name:007EE67C4BEC255A19AB2B6FA0F159E9D9636C74DDE34.exe
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:3'747'328 bytes
First seen:2022-01-21 23:36:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 46978de0f8944a65af1673d613222a98 (5 x Smoke Loader, 5 x Vjw0rm, 3 x FormBook)
ssdeep 49152:5UsrC6aEeWfmde0IfNxS3/tb8e8SX9cC31cHFMakecJMGklhqvFXjjxYDUvc0:BC6faFb8atcH6akeR0hjjKUvc0
Threatray 882 similar samples on MalwareBazaar
TLSH T19F06AE0163E3C1E9CE179172D8A4C232DA71FC1E9724A9DB26D08D5EFF12EE21579782
File icon (PE):PE icon
dhash icon c884e2f174bc1e26 (1 x Vjw0rm)
Reporter abuse_ch
Tags:exe vjw0rm


Avatar
abuse_ch
Vjw0rm C2:
http://webdate.publicvm.com:1007/Vre

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://webdate.publicvm.com:1007/Vre https://threatfox.abuse.ch/ioc/311055/

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
007EE67C4BEC255A19AB2B6FA0F159E9D9636C74DDE34.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-21 23:46:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d50e62c-3fa9-4640-b99a-81f6d7ef1966

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221578/
Detection(s):
Win.Malware.Autohk-6995517-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLineDropper-AHK.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Modifying a system file
Running batch commands
Replacing files
Launching a service
Launching a process
Sending a custom TCP request
Sending a UDP request
DNS request
Forced system process termination
Sending an HTTP GET request
Creating a process with a hidden window
Blocking the Windows Defender launch
Downloading the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61eb43a0d32385db6317eac8/reports/1b8944a5-c99d-4d16-af39-56d2fe9c5ffd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f454d1de-740e-4f46-895d-c497a52dc8b7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925534
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes autostart functionality of drives
Contains functionality to register a low level keyboard hook
Drops PE files to the startup folder
Machine Learning detection for sample
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 558012 Sample: 007EE67C4BEC255A19AB2B6FA0F... Startdate: 22/01/2022 Architecture: WINDOWS Score: 100 92 Antivirus detection for URL or domain 2->92 94 Antivirus / Scanner detection for submitted sample 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 4 other signatures 2->98 9 007EE67C4BEC255A19AB2B6FA0F159E9D9636C74DDE34.exe 17 2->9         started        13 conhost.exe 2->13         started        16 conhost.exe 2->16         started        18 4 other processes 2->18 process3 dnsIp4 70 C:\ProgramData\conhostHost.exe, PE32+ 9->70 dropped 72 C:\ProgramData\Setup.exe, PE32 9->72 dropped 120 Contains functionality to register a low level keyboard hook 9->120 122 Sample or dropped binary is a compiled AutoHotkey binary 9->122 20 conhostHost.exe 11 9->20         started        24 Setup.exe 1 28 9->24         started        27 cmd.exe 2 9->27         started        86 webdate.publicvm.com 13->86 29 schtasks.exe 13->29         started        88 webdate.publicvm.com 16->88 31 schtasks.exe 16->31         started        90 webdate.publicvm.com 18->90 33 schtasks.exe 18->33         started        file5 signatures6 process7 dnsIp8 62 C:\ProgramData\conhost.exe, PE32+ 20->62 dropped 64 C:\ProgramData\conhost.exe.manifest, exported 20->64 dropped 100 Antivirus detection for dropped file 20->100 102 Multi AV Scanner detection for dropped file 20->102 104 Sample or dropped binary is a compiled AutoHotkey binary 20->104 35 conhost.exe 20->35         started        40 cmd.exe 20->40         started        80 github.com 140.82.121.4, 443, 49752 GITHUBUS United States 24->80 82 objects.githubusercontent.com 185.199.108.133, 443, 49753 FASTLYUS Netherlands 24->82 84 rufus.ie 185.199.111.153, 443, 49751, 49756 FASTLYUS Netherlands 24->84 66 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 24->66 dropped 106 Changes autostart functionality of drives 24->106 108 Modifies Group Policy settings 24->108 110 Suspicious powershell command line found 27->110 112 Tries to download and execute files (via powershell) 27->112 42 powershell.exe 15 19 27->42         started        44 powershell.exe 17 27->44         started        46 conhost.exe 1 27->46         started        48 conhost.exe 29->48         started        50 conhost.exe 31->50         started        52 conhost.exe 33->52         started        file9 signatures10 process11 dnsIp12 74 webdate.publicvm.com 105.103.38.112, 1007, 49765, 49772 ALGTEL-ASDZ Algeria 35->74 68 C:\Users\user\AppData\Roaming\...\conhost.exe, PE32+ 35->68 dropped 114 Drops PE files to the startup folder 35->114 116 Uses schtasks.exe or at.exe to add and modify task schedules 35->116 118 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 35->118 54 schtasks.exe 35->54         started        56 conhost.exe 40->56         started        58 attrib.exe 40->58         started        76 gamecardsy.com 148.251.248.121, 49761, 49806, 80 HETZNER-ASDE Germany 42->76 78 192.168.2.1 unknown unknown 44->78 file13 signatures14 process15 process16 60 conhost.exe 54->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/007ee67c4bec255a19ab2b6fa0f159e9d9636c74dde34f9ddbf3b45ced74cebe/
Threat name:
Win32.Trojan.Hotkeychick
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 23:07:00 UTC
File Type:
PE (Exe)
Extracted files:
122
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ab7om7cl5qsvugnlfnx2b4kz5hmwg3du3xru7ho36o2fz3luz27a._file
Verdict:
unknown
Similar samples:
00b9e38547c85e5944e829d5f327a722c6426ce94e62223ea5ac2aa89a47ea3f
Vjw0rm
3afe4dd1466eb99bc7ab905a2363173dc043f9060982c49b6f5da73293f7d6ed
Vjw0rm
5d7f0011fe14d2f595df1f8630724d010b68d959d65bd06ca7f72864adebd125
Vjw0rm
65c86813da2eb5bfc495e538fa4e77f8c3a3c03418e655ac8262bc0aa42281ba
Vjw0rm
693626ad4ce750ecb027980dfb505ca69872923702dfe564e0adcb651e8c60d9
Vjw0rm
c6d5e1fdae2634a3a2a29a8c5de69f725ebceefba86d3700bc922aac7f55a1f7
Vjw0rm
cb663a4fa79cb0fcb52c3049b65b1a012c45e72badc13c931fc2c72a8a94dcca
Vjw0rm
db3b609c34509ffdd32278cf86dcaa3295bae9a75f51c816c40bc5102b67a3ce
Vjw0rm
eecf5fa7aabf91128e8b3d5a6b6541ccc4e379c18cfe1d35f2473740a192e8d1
Vjw0rm
eee468bff615adfd8c7b6afc3dc8d064e5076e6175e7d28e233983e08a0a4426
Vjw0rm
+ 872 additional samples on MalwareBazaar
Result
Malware family:
vjw0rm
Create hunting rule
Score:
  10/10
Tags:
family:vjw0rm evasion persistence trojan upx worm
Link:
https://tria.ge/reports/220121-3l5jsadbf8/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
Vjw0rm
Malware Config
C2 Extraction:
http://webdate.publicvm.com:1007
Dropper Extraction:
http://gamecardsy.com/ahmadtestupl/kell5.bat
http://gamecardsy.com/ahmadtestupl/kilall.vbs
Unpacked files
SH256 hash:
909de1f36bb477233c4ce32640b48a71c6e8cfd36b7260e6ae46c6e087b84f32
MD5 hash:
005d0e74f985332cdcdf4a48e80d998c
SHA1 hash:
934f78e3ff30ab313a5e5bc165189686ab3f71c4
Link:
https://www.unpac.me/results/c6c6adfc-64f7-4f3c-a17d-5d51b8fb9cdc/
SH256 hash:
5f819f6eae4b5845c082edf14cb389ab9805bc3c17440f3b5398d4fdd0079ffe
MD5 hash:
d7e5d3a09ebfa04c5e2eb9bf6ec9947b
SHA1 hash:
3d9ebbdda068d39033aae44001efd8909919458c
Link:
https://www.unpac.me/results/c6c6adfc-64f7-4f3c-a17d-5d51b8fb9cdc/
SH256 hash:
007ee67c4bec255a19ab2b6fa0f159e9d9636c74dde34f9ddbf3b45ced74cebe
MD5 hash:
93ede5d435cb9b8f16263bbafab6a449
SHA1 hash:
c5392f8e367924c2dacb646c6e3c1ea393b317a5
Link:
https://www.unpac.me/results/c6c6adfc-64f7-4f3c-a17d-5d51b8fb9cdc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/007ee67c4bec255a19ab2b6fa0f159e9d9636c74dde34f9ddbf3b45ced74cebe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221578/

Comments