MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c080c6425c6475e91fd8041db1609dc45c2f0e3e4073626c56f782685fb6621. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 9


Intelligence 9 IOCs 4 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c080c6425c6475e91fd8041db1609dc45c2f0e3e4073626c56f782685fb6621
SHA3-384 hash: 57a7613b54c338082c62c3d2703b9cf3667d9f8b122ae2d10a3608f7e888636d327eb97b228187dfa6deeaf4832f0ccc
SHA1 hash: 63465170ad1af90d10c506a3c1a2d5f3aefc72cf
MD5 hash: 7d685c3a21c226778a183ced19fcac28
humanhash: music-quebec-island-sodium
File name:Recibo de pago.js
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:647'756 bytes
First seen:2022-09-22 19:20:33 UTC
Last seen:2022-09-23 07:47:59 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:tDC6BtKFgJKilkjFsrDv4hHVtBKk7L9kNH26sR:tDRtKmdWiw
TLSH T10AD49D61FB845A8DF6980A8BD07C6E6E3BF36B05C5E3B3CCA393354B254EE5D2119844
Reporter abuse_ch
Tags:js vjw0rm


Avatar
abuse_ch
Vjw0rm C2:
http://goods.camdvr.org:2888/moz-sdk

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://goods.camdvr.org:2888/moz-sdk https://threatfox.abuse.ch/ioc/851154/
http://goods.camdvr.org:2888/ie https://threatfox.abuse.ch/ioc/851155/
http://goods.camdvr.org:2888/give-me-chpv https://threatfox.abuse.ch/ioc/851156/
http://goods.camdvr.org:2888/give-me-ffpv https://threatfox.abuse.ch/ioc/851157/

Intelligence

File Origin
# of uploads :
2
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-2221.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint obfuscated obfuscated wscript.exe
Link:
https://www.filescan.io/uploads/632cb6216aa625318dcf1459/reports/37ac9f11-0aaf-4675-9b5a-d031ef344545/overview
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
WSHRat, VjW0rm, AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075568
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Contains VNC / remote desktop functionality (version string found)
Detected WSHRat
Drops script or batch files to the startup folder
Installs a global keyboard hook
JavaScript source code contains functionality to generate code involving a shell, file or stream
JScript performs obfuscated calls to suspicious functions
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Potential malicious VBS/JS script found (suspicious encoded strings)
Potential obfuscated javascript found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
Sigma detected: VjW0rm
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Wscript called in batch mode (surpress errors)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected VjW0rm
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708110 Sample: Recibo de pago.js Startdate: 22/09/2022 Architecture: WINDOWS Score: 100 62 Sigma detected: Register Wscript In Run Key 2->62 64 Snort IDS alert for network traffic 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 15 other signatures 2->68 6 wscript.exe 2->6         started        11 wscript.exe 3 5 2->11         started        13 wscript.exe 2->13         started        15 2 other processes 2->15 process3 dnsIp4 56 goods.camdvr.org 37.0.14.211, 2888, 49707, 49712 WKD-ASIE Netherlands 6->56 58 wshsoft.company 194.59.164.67, 49717, 80 AS-HOSTINGERLT Germany 6->58 60 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 6->60 32 C:\Users\user\AppData\...\nicon4.0origin.exe, PE32 6->32 dropped 34 C:\...\api-ms-win-crt-utility-l1-1-0.dll, PE32 6->34 dropped 36 C:\Users\...\api-ms-win-crt-time-l1-1-0.dll, PE32 6->36 dropped 44 98 other files (none is malicious) 6->44 dropped 80 System process connects to network (likely due to code injection or exploit) 6->80 82 Wscript called in batch mode (surpress errors) 6->82 17 nicon4.0origin.exe 2 6->17         started        21 wscript.exe 6->21         started        38 C:\Users\user\AppData\Roaming\dohKlqYtRl.js, ASCII 11->38 dropped 40 C:\...\Recibo de pago.js:Zone.Identifier, ASCII 11->40 dropped 42 C:\Users\user\AppData\...\Recibo de pago.js, ASCII 11->42 dropped 84 Benign windows process drops PE files 11->84 86 Detected WSHRat 11->86 88 JScript performs obfuscated calls to suspicious functions 11->88 90 3 other signatures 11->90 23 wscript.exe 1 13 11->23         started        26 wscript.exe 11->26         started        28 wscript.exe 13->28         started        30 wscript.exe 15->30         started        file5 signatures6 process7 dnsIp8 48 mail.waterchem.com.tr 17->48 50 waterchem.com.tr 109.232.216.96, 49718, 587 AEROTEK-ASTR Turkey 17->50 70 Antivirus detection for dropped file 17->70 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->72 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->74 78 6 other signatures 17->78 52 javaautorun.duia.ro 194.5.98.12, 49697, 49698, 49699 DANILENKODE Netherlands 23->52 54 192.168.2.1 unknown unknown 23->54 46 C:\Users\user\AppData\...\dohKlqYtRl.js, ASCII 23->46 dropped 76 System process connects to network (likely due to code injection or exploit) 28->76 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c080c6425c6475e91fd8041db1609dc45c2f0e3e4073626c56f782685fb6621/
Threat name:
Script-JS.Trojan.Vjw0rm
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 19:21:06 UTC
File Type:
Text (JavaScript)
AV detection:
14 of 41 (34.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bqeayzbfyzdv5ep5qba5wfqj3rc4f4hd4qdtmjwfn54cnbp3myqq._file
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:vjw0rm family:wshrat collection keylogger persistence spyware stealer trojan worm
Link:
https://tria.ge/reports/220922-x2me9agacj/
Behaviour
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
Blocklisted process makes network request
AgentTesla
Vjw0rm
WSHRAT
Malware Config
C2 Extraction:
http://goods.camdvr.org:2888
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0c080c6425c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/0c080c6425c6475e91fd8041db1609dc45c2f0e3e4073626c56f782685fb6621

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:SUSP_Double_Base64_Encoded_Executable
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889
Rule name:SUSP_Double_Base64_Encoded_Executable_RID34CC
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments