MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d3675bba3da579b093fd576fca9d1a47a3100d358391b5b7f3a368ee35a69e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d3675bba3da579b093fd576fca9d1a47a3100d358391b5b7f3a368ee35a69e7
SHA3-384 hash: 657f19855833cee50b1c8e0a5a3a3e1a39b97bc08e8149f00d135aa8d8f8ffcca266fb828b67cb988c3c9b642cc9e972
SHA1 hash: 1f2719208472e54401e66978d919474ab7146a80
MD5 hash: a80644c814a5b9c8f0618cd82c6c89e3
humanhash: hydrogen-quebec-river-skylark
File name:a80644c814a5b9c8f0618cd82c6c89e3.exe
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:2'914'816 bytes
First seen:2021-07-01 03:11:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:H6P07OFkfhDu+G07Eq6T18ZpYn8OS8QdsO7q5AyuC7OzeEM:S0KKDuG7x6T1QY8CQKOhBCSK
Threatray 243 similar samples on MalwareBazaar
TLSH 80D5335E7D52EFA0CD2D963E26F4E566CE811E06CE16C21E1C1463BC4F9325B910BECA
Reporter abuse_ch
Tags:exe vjw0rm


Avatar
abuse_ch
Vjw0rm C2:
http://kingspy.mywire.org:797/Vre

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://kingspy.mywire.org:797/Vre https://threatfox.abuse.ch/ioc/156641/

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a80644c814a5b9c8f0618cd82c6c89e3.exe
Verdict:
Malicious activity
Analysis date:
2021-07-01 03:14:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77ffd45d-b295-489e-a648-91a8e025da08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169034/
Detection(s):
Win.Malware.Lisk-9874836-0
Create hunting rule

Win.Dropper.Nanocore-9874921-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76ed94e2-c4d4-46ce-859a-0137a2f750c5
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810303
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected njRat
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Drops script or batch files to the startup folder
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global get message hook
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 442714 Sample: 7QvPc8EGSr.exe Startdate: 01/07/2021 Architecture: WINDOWS Score: 100 113 kingspy.mywire.org 2->113 115 delikral.mywire.org 2->115 139 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->139 141 Found malware configuration 2->141 143 Malicious sample detected (through community Yara rule) 2->143 145 11 other signatures 2->145 10 7QvPc8EGSr.exe 3 8 2->10         started        14 wscript.exe 2->14         started        17 explorer.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 93 C:\Users\user\AppData\Local\Temp\Jhrlyd.exe, PE32 10->93 dropped 95 C:\Users\user\AppData\...\Yqzbzntutzsvqh.vbs, ASCII 10->95 dropped 97 C:\Users\user\AppData\Local\Temppfgmgx.js, ASCII 10->97 dropped 101 2 other files (1 malicious) 10->101 dropped 183 Detected unpacking (overwrites its own PE header) 10->183 21 wscript.exe 2 10->21         started        25 Jhrlyd.exe 28 10->25         started        27 Uxfhfgngxrck.exe 50 10->27         started        29 wscript.exe 2 13 10->29         started        131 kingspy.mywire.org 14->131 133 192.168.2.1 unknown unknown 14->133 99 C:\Users\user\AppData\Roaming\...pfgmgx.js, ASCII 14->99 dropped 185 System process connects to network (likely due to code injection or exploit) 14->185 32 schtasks.exe 14->32         started        34 iexplore.exe 17->34         started        135 kingspy.mywire.org 19->135 137 kingspy.mywire.org 19->137 36 schtasks.exe 19->36         started        38 schtasks.exe 19->38         started        file6 signatures7 process8 dnsIp9 81 C:\Users\user\AppData\Roaming\...\Deep.vbs, ASCII 21->81 dropped 147 System process connects to network (likely due to code injection or exploit) 21->147 149 Wscript starts Powershell (via cmd or directly) 21->149 151 Drops script or batch files to the startup folder 21->151 161 4 other signatures 21->161 40 cmd.exe 21->40         started        83 C:\Users\user\80089603\npmfgberh.pif, PE32 25->83 dropped 153 Multi AV Scanner detection for dropped file 25->153 155 Drops PE files with a suspicious file extension 25->155 43 npmfgberh.pif 25->43         started        85 C:\ProgramData\IWG\lzma.exe, PE32 27->85 dropped 87 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 27->87 dropped 89 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 27->89 dropped 91 6 other files (none is malicious) 27->91 dropped 45 IWG.exe 27->45         started        59 5 other processes 27->59 119 kingspy.mywire.org 88.244.156.132, 1958, 49721, 49725 TTNETTR Turkey 29->119 157 Creates multiple autostart registry keys 29->157 48 schtasks.exe 29->48         started        50 conhost.exe 32->50         started        121 www.ardamax.com 34->121 159 Injects files into Windows application 34->159 52 iexplore.exe 34->52         started        55 conhost.exe 36->55         started        57 conhost.exe 38->57         started        file10 signatures11 process12 dnsIp13 163 Suspicious powershell command line found 40->163 165 Wscript starts Powershell (via cmd or directly) 40->165 167 Bypasses PowerShell execution policy 40->167 61 powershell.exe 40->61         started        65 conhost.exe 40->65         started        169 Multi AV Scanner detection for dropped file 43->169 171 Writes to foreign memory regions 43->171 173 Allocates memory in foreign processes 43->173 175 Injects a PE file into a foreign processes 43->175 67 RegSvcs.exe 43->67         started        103 C:\ProgramData\IWG\IWG.001, COM 45->103 dropped 177 Creates multiple autostart registry keys 45->177 179 Installs a global get message hook 45->179 181 Installs a global keyboard hook 45->181 69 conhost.exe 48->69         started        117 www.ardamax.com 52->117 105 C:\ProgramData\IWG\IWG.exe, PE32+ 59->105 dropped 107 C:\ProgramData\IWG\IWG.01, PE32+ 59->107 dropped 109 C:\ProgramData\IWG\Viewer.exe, PE32+ 59->109 dropped 111 C:\ProgramData\IWG\IWG.02, PE32+ 59->111 dropped 71 conhost.exe 59->71         started        73 conhost.exe 59->73         started        75 conhost.exe 59->75         started        77 conhost.exe 59->77         started        file14 signatures15 process16 dnsIp17 123 kingspy.mywire.org 61->123 125 www.uplooder.net 144.76.38.100, 443, 49723 HETZNER-ASDE Germany 61->125 127 delikral.mywire.org 45.81.101.148, 60000 CNVLTR Turkey 61->127 187 Creates autostart registry keys with suspicious values (likely registry only malware) 61->187 189 Creates autostart registry keys with suspicious names 61->189 191 Creates multiple autostart registry keys 61->191 193 3 other signatures 61->193 79 netsh.exe 61->79         started        129 kingspy.mywire.org 67->129 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d3675bba3da579b093fd576fca9d1a47a3100d358391b5b7f3a368ee35a69e7/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-06-29 15:03:13 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fu3hlo5d3jlzwcj72v3pzkorur5dcagtla4rww37hi3i5y22nhtq._file
Verdict:
malicious
Similar samples:
1678611ad4996f718c0a8998ce194dfe117bf47529c4ccad51a6816ecf4f1bb4
Vjw0rm
5c5e4e31bde29168e03fa8cce36bab9b577568137edab59f68f8968616546ed9
Vjw0rm
645a6049e233daf9c05944e1644eb7ba86ec8368ebab70862e926eef9117dcbd
Vjw0rm
65d246d802665601ae63bd52d49d3208bdad035aa193378fc349df3ed0777a44
Vjw0rm
8f4ec0f164657fae38d4555a0f710ddc67b9e421ac0d7c82491c30a51895031d
Vjw0rm
a259ab9f2ce1c874205cd31ac2f4ff924955caf2a81396b400dceb2438ff8921
Vjw0rm
bee17c10f6ae2b3d19cc7cdd1e54f11a9aac44cda0b5d6f41c0dbdce69b79ad5
Vjw0rm
c0503b9a911b674579a25005f552760d37b15e9246a8ccdae53d1e6001413611
Vjw0rm
d63175ae3ea02c89ea8c9e47bf9044f38ce0c8c2bf565a64d2f82eb37fbcdc6a
Vjw0rm
dc8b1aa91228f69edb8b71fafd9231f6d6d55d50ea17e3a845a3014e419cdb60
Vjw0rm
+ 233 additional samples on MalwareBazaar
Result
Malware family:
vjw0rm
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:vjw0rm evasion keylogger persistence spyware stealer trojan worm
Link:
https://tria.ge/reports/210701-8ywg1n17ra/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Modifies Windows Firewall
NanoCore
Vjw0rm
Malware Config
Dropper Extraction:
https://www.uplooder.net/f/tl/77/7b317eef092437d4f2d921c078f9f9b6/as.mp3
Unpacked files
SH256 hash:
c8fb6d1c1534503c2554e59e8153411b4b02e3839cb3ec6f94c0654ebf0f7d81
MD5 hash:
a9cf20b029b93f93748f57ad28f508a3
SHA1 hash:
3865c29994475433c255f201ae58984e6a9e18c6
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
545f5e95e0ef34e23441e5116308cbeb98ab5a8f40053922d4403185eab76fc6
MD5 hash:
2effabdab5f77bef92b577364515702f
SHA1 hash:
251ed713a0e30058e823942701fab622ad774ef3
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156
MD5 hash:
48f3e7860e1de2b4e63ec744a5e9582a
SHA1 hash:
420c64d802a637c75a53efc8f748e1aede3d6dc6
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe
MD5 hash:
4c77a65bb121bb7f2910c1fa3cb38337
SHA1 hash:
94531e3c6255125c1a85653174737d275bc35838
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
2703314a0d03377c6774dad865c292d4808bc4f748871f16f142c09527c5e617
MD5 hash:
c8ff7c87b591958cb1970a7d89b9839f
SHA1 hash:
9d34a40b574eabd6bd321c976a13ab0f4d0ef236
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
f776415281ed68268577142b60839d0937c112be1ba0fb8470f5a387afc3ba62
MD5 hash:
1c4d758c0954e843d2fa22703f653421
SHA1 hash:
d577e6f63cb53f5f68f094b9fbaefe5b0087e933
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
MD5 hash:
564bb0373067e1785cba7e4c24aab4bf
SHA1 hash:
7c9416a01d821b10b2eef97b80899d24014d6fc1
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222
MD5 hash:
904beebec2790ee2ca0c90fc448ac7e0
SHA1 hash:
40fabf1eb0a3b7168351c4514c5288216cb1566d
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
MD5 hash:
adb29e6b186daa765dc750128649b63d
SHA1 hash:
160cbdc4cb0ac2c142d361df138c537aa7e708c9
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
Parent samples :
f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1
6e22c0f2732195063cb4984c6520c3b85e1236e967f8bb05b3c1b35139d2917b
713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
dbde8a4bd71bb1fbc0511cdb657dfeffdaedc513aa425f856043532a7cba6fce
ac142a8087949b5ad4e3a503ca37609845112c4f7e0cd1376669c9d5c8f5cdf2
15d4dbafb6fb1770507db7769b2df6f3857da0ad3203a71c5f82a99688dac2b3
b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4
4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0
df61dc2d24f2e475e0a8971c5d21c1c48e9505be67714aafb4afd670aad297e3
60b1aa37a4ac40d5c5adf2de28782976934731408b6c2e89511e1bc5947d5bbd
f7ae58f22cbdeb69318f6cb3ff3757a9888e8731febd66e85ee9938f874705c9
fbfe2108631e3ccaa8db2f5c4439009c7a5a53136481b422236eefe2e48b690f
340b93c76e6f489982a23d2e04df0ad05a03c3d744ecb5badc3c041eca945af2
34a5c9c0106b37687fbdd51a60a026d06e7301ec40b1f7fb49384d8fe748e9e6
503c9fae00b047a77059de8e9ff6dddb6d2584f18ccf6480d69d395c65492ad4
SH256 hash:
e66b1b4bf543975e9a5308b04eba4ceb82a7306d2e63d061c7e4cb2d00263451
MD5 hash:
b0c3c014131e1fb16b8c8021734ecddc
SHA1 hash:
0f911e1efb177759da77dcf946b5fc81405c83f7
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
d0fd12a942127a0e14e7e726f96baafb51995dac51914975fd557e492f023859
MD5 hash:
4bb192e8167b96df4e86f002ee335875
SHA1 hash:
039945a8cd7cfa9fa9fdf94957c1242099f8e38a
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
fc14c2f8e1e8ed20aad4042b8b8e025e08ceca34cf055af06e86de8aa6f8d060
MD5 hash:
2710636e67500186f571b0a31b35a2f5
SHA1 hash:
90ab09ef06534acc20a790a4b159a497b04172d3
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
1ece965ac1a7410c56c47532a43dd7e5b4db0263a8dca53f0554f7ff16003a8c
MD5 hash:
df3e949ba7901c3520698d403c7f1f5c
SHA1 hash:
6cd0bcdcd433cea81f90ecc1bf4e92e9a0d8fde2
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
SH256 hash:
2d3675bba3da579b093fd576fca9d1a47a3100d358391b5b7f3a368ee35a69e7
MD5 hash:
a80644c814a5b9c8f0618cd82c6c89e3
SHA1 hash:
1f2719208472e54401e66978d919474ab7146a80
Link:
https://www.unpac.me/results/a147ddbe-e3d9-4af8-b984-62c0936f7b08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d3675bba3da579b093fd576fca9d1a47a3100d358391b5b7f3a368ee35a69e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_LightDefender_Njrat_Rule
Create hunting rule
Author:Skystars LightDefender
Description:Detects Njrat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169034/

Comments