MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22f93b97e4ee74c1af48cbdcf878a983cbe2fba7eefc5cd639814dc942cbaa8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22f93b97e4ee74c1af48cbdcf878a983cbe2fba7eefc5cd639814dc942cbaa8d
SHA3-384 hash: b8d1cdc73a46b7bba50849a3ec5d29c193f64019a368cff5a8d06f06c68cf9ddd144efbe78b16e453bfd12a334a7f5aa
SHA1 hash: 9d138f1bf129473cb0d74c0d94ec8af2daa311c7
MD5 hash: 52bbd67fdb23378f2ad43efb150abdc4
humanhash: six-harry-victor-montana
File name:22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:3'260'928 bytes
First seen:2021-06-29 19:16:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 46978de0f8944a65af1673d613222a98 (5 x Smoke Loader, 5 x Vjw0rm, 3 x FormBook)
ssdeep 49152:DUsrC6aEvEWfmde0IfNxS3/tb8e8SXDcC31c11vMj+tQ+LP2:XC6VaFb8a/c11vMj2T2
Threatray 683 similar samples on MalwareBazaar
TLSH 25E59D02B3D2C1F6DE6352B1C9A1C332EA35BC25073A9ADB63D01E2FFE526915A35351
Reporter abuse_ch
Tags:exe vjw0rm


Avatar
abuse_ch
Vjw0rm C2:
http://domaineweb.publicvm.com:1002/Vre

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://domaineweb.publicvm.com:1002/Vre https://threatfox.abuse.ch/ioc/155828/

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe
Verdict:
Malicious activity
Analysis date:
2021-06-29 19:20:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/136da01b-e72a-4eb7-9d7e-1f17c91ce335

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168804/
Detection(s):
Win.Malware.Autohk-6995517-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLineDropper-AHK.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f48d4182-1070-4267-be8d-ecef32595f13
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809619
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Drops PE files to the startup folder
Drops PE files to the user root directory
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell creates an autostart link
Powershell drops PE file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 442028 Sample: 22F93B97E4EE74C1AF48CBDCF87... Startdate: 29/06/2021 Architecture: WINDOWS Score: 100 74 gamecardsy.com 2->74 88 Multi AV Scanner detection for domain / URL 2->88 90 Antivirus detection for URL or domain 2->90 92 Antivirus / Scanner detection for submitted sample 2->92 94 5 other signatures 2->94 10 22F93B97E4EE74C1AF48CBDCF878A983CBE2FBA7EEFC5.exe 5 2->10         started        14 conhost.exe 2->14         started        17 conhost.exe 12 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 68 C:\ProgramData\conhostHost.exe, PE32+ 10->68 dropped 70 C:\ProgramData\Setup.exe, PE32 10->70 dropped 118 Contains functionality to register a low level keyboard hook 10->118 120 Sample or dropped binary is a compiled AutoHotkey binary 10->120 21 cmd.exe 1 10->21         started        24 conhostHost.exe 3 10->24         started        27 Setup.exe 3 10->27         started        82 domaineweb.publicvm.com 14->82 72 C:\Users\user\AppData\Roaming\...\conhost.exe, PE32+ 14->72 dropped 29 schtasks.exe 14->29         started        84 domaineweb.publicvm.com 17->84 31 schtasks.exe 17->31         started        86 domaineweb.publicvm.com 19->86 33 schtasks.exe 19->33         started        file6 signatures7 process8 file9 96 Suspicious powershell command line found 21->96 98 Tries to download and execute files (via powershell) 21->98 35 powershell.exe 15 18 21->35         started        40 powershell.exe 17 21->40         started        42 powershell.exe 21->42         started        52 2 other processes 21->52 64 C:\ProgramData\conhost.exe, PE32+ 24->64 dropped 66 C:\ProgramData\conhost.exe.manifest, exported 24->66 dropped 100 Antivirus detection for dropped file 24->100 102 Multi AV Scanner detection for dropped file 24->102 104 Sample or dropped binary is a compiled AutoHotkey binary 24->104 44 conhost.exe 2 13 24->44         started        46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        50 conhost.exe 33->50         started        signatures10 process11 dnsIp12 76 gamecardsy.com 148.251.248.121, 49723, 49731, 49741 HETZNER-ASDE Germany 35->76 78 192.168.2.1 unknown unknown 35->78 58 C:\Users\Public\DefenderControl.exe, PE32 35->58 dropped 106 Drops PE files to the user root directory 35->106 108 Powershell creates an autostart link 35->108 110 Powershell drops PE file 35->110 60 C:\Users\Public\DefenderKill.lnk, MS 40->60 dropped 62 C:\Users\Public\Defender.bat, ASCII 42->62 dropped 80 domaineweb.publicvm.com 81.171.31.214, 1002, 49729, 49730 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 44->80 112 Drops PE files to the startup folder 44->112 114 Uses schtasks.exe or at.exe to add and modify task schedules 44->114 116 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 44->116 54 schtasks.exe 1 44->54         started        file13 signatures14 process15 process16 56 conhost.exe 54->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22f93b97e4ee74c1af48cbdcf878a983cbe2fba7eefc5cd639814dc942cbaa8d/
Threat name:
Win32.Trojan.Hotkeychick
Create hunting rule
Status:
Malicious
First seen:
2021-06-26 06:41:54 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=el4txf7e5z2mdl2izpopq6fjqpf6f65h536fzvrzqfg4sqwlvkgq._file
Verdict:
unknown
Similar samples:
00b9e38547c85e5944e829d5f327a722c6426ce94e62223ea5ac2aa89a47ea3f
Vjw0rm
29f28181395a1834b555043aaf23e2ffc359df8451d8e553c217756275b7df0d
Vjw0rm
5774446b69cea2baab6ae79d72271ed81dddb07567a57d901ed84cc9bd819057
Vjw0rm
5d7f0011fe14d2f595df1f8630724d010b68d959d65bd06ca7f72864adebd125
Vjw0rm
623685e4db75581f2e9257c43aa93cadea10011443751d97ed3902471be98c6f
Vjw0rm
c6d5e1fdae2634a3a2a29a8c5de69f725ebceefba86d3700bc922aac7f55a1f7
Vjw0rm
db3b609c34509ffdd32278cf86dcaa3295bae9a75f51c816c40bc5102b67a3ce
Vjw0rm
e971ff222148de51a5cb8aa8648b76b727179bd39bd2e01b5824c9e752fcf147
Vjw0rm
eecf5fa7aabf91128e8b3d5a6b6541ccc4e379c18cfe1d35f2473740a192e8d1
Vjw0rm
eee468bff615adfd8c7b6afc3dc8d064e5076e6175e7d28e233983e08a0a4426
Vjw0rm
+ 673 additional samples on MalwareBazaar
Result
Malware family:
vjw0rm
Create hunting rule
Score:
  10/10
Tags:
family:vjw0rm evasion persistence trojan worm
Link:
https://tria.ge/reports/210629-rb4t8mnwns/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Drops startup file
Loads dropped DLL
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies security service
Vjw0rm
Malware Config
Dropper Extraction:
http://gamecardsy.com/ahmadtestupl/DefenderControl.exe
http://gamecardsy.com/ahmadtestupl/DefenderKill.txt
http://gamecardsy.com/ahmadtestupl/Defender.bat
http://gamecardsy.com/ahmadtestupl/ff.ps1
http://gamecardsy.com/ahmadtestupl/DefenderControl.txt
Unpacked files
SH256 hash:
ec5e4f22dfca29a372dbe3f288ca17cee98db5baa45d57f225fe64f5d19917bb
MD5 hash:
c92bef175ef30dd22fa2bab2d07ddd09
SHA1 hash:
0614e3ff4b5bf14a86a1b962436a26ac901265f1
Link:
https://www.unpac.me/results/5afc886c-0e34-42d3-90a9-2b7672e7a2e8/
SH256 hash:
22f93b97e4ee74c1af48cbdcf878a983cbe2fba7eefc5cd639814dc942cbaa8d
MD5 hash:
52bbd67fdb23378f2ad43efb150abdc4
SHA1 hash:
9d138f1bf129473cb0d74c0d94ec8af2daa311c7
Link:
https://www.unpac.me/results/5afc886c-0e34-42d3-90a9-2b7672e7a2e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22f93b97e4ee74c1af48cbdcf878a983cbe2fba7eefc5cd639814dc942cbaa8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168804/

Comments