MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 18


Intelligence 18 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325
SHA3-384 hash: 74b3eb785201d9b98a57c5886f73c16aea6f3feec15e9a3ad0d037fc29051a2e6f0db3fa98fb95e26f847d8bd2e84c6f
SHA1 hash: 8f70abe57d708789e9c56ad98386c40253224758
MD5 hash: f83cb2f595ba590173ecc32fe1a4f957
humanhash: washington-muppet-triple-ack
File name:f83cb2f595ba590173ecc32fe1a4f957
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:1'796'083 bytes
First seen:2022-11-05 02:15:00 UTC
Last seen:2023-08-27 08:46:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:rAOcZGRcaQLzZAZ5WCGXZ2El/5DVvnrjsNNIJhYPZwyI3Tr+Mo5pemHI0YuyqI8u:tBQvZAZ4zJXvMNN8YBdcxo5EmHWqI8u
Threatray 4'328 similar samples on MalwareBazaar
TLSH T19D852312F7C284B3E4B71D32553A75256E7DBA700E34CB5EF3D49D6CAA30A90A124B63
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon cb8f2f9cbdbf8dcd (6 x AveMariaRAT, 2 x AgentTesla, 1 x Vjw0rm)
Reporter zbetcheckin
Tags:32 exe vjw0rm

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Prices.tar.bz2
Verdict:
Malicious activity
Analysis date:
2022-10-19 05:49:31 UTC
Tags:
keylogger rat remcos stealer trojan avemaria warzone
Link:
https://app.any.run/tasks/285e920c-3d08-4ca7-bd3b-db9e29f33cad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/328905/
Detection(s):
Win.Dropper.Nanocore-9975166-0
Create hunting rule

Win.Dropper.Nanocore-9975168-0
Create hunting rule

Win.Dropper.Nanocore-9975595-0
Create hunting rule

Win.Dropper.Nanocore-9975783-0
Create hunting rule

Win.Dropper.Nanocore-9976451-0
Create hunting rule

Win.Dropper.Nanocore-9976452-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching cmd.exe command interpreter
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Launching a process
Using the Windows Management Instrumentation requests
Changing a file
Blocking the User Account Control
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/48768/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6365c728364a5d892e848ee7/reports/ebb9e0f6-e93d-484f-9f07-0ac57082c686/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6eb8a8d8-196c-4a25-9d52-6078da4ab8bb
Result
Threat name:
Remcos, VjW0rm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1105931
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Disables the Windows task manager (taskmgr)
Disables UAC (registry)
Drops script or batch files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Sigma detected: VjW0rm
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM autoit script
Yara detected Remcos RAT
Yara detected VjW0rm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 738595 Sample: UvdmtZBtGX.exe Startdate: 05/11/2022 Architecture: WINDOWS Score: 100 73 Multi AV Scanner detection for domain / URL 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 10 other signatures 2->79 9 UvdmtZBtGX.exe 3 30 2->9         started        12 wscript.exe 12 2->12         started        process3 file4 51 C:\Users\user\AppData\Local\...\nqqjm.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\...\Dropperremvom.exe, PE32 9->53 dropped 15 Dropperremvom.exe 3 9->15         started        19 wscript.exe 1 9->19         started        93 System process connects to network (likely due to code injection or exploit) 12->93 95 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 12->95 signatures5 process6 file7 55 C:\...\68.144.191remcos_nostartdisabler.exe, PE32 15->55 dropped 57 C:\Users\user\AppData\Local\Temp\rfil.js, ASCII 15->57 dropped 63 Antivirus detection for dropped file 15->63 65 Multi AV Scanner detection for dropped file 15->65 67 Machine Learning detection for dropped file 15->67 21 68.144.191remcos_nostartdisabler.exe 2 175 15->21         started        26 wscript.exe 1 13 15->26         started        69 Drops script or batch files to the startup folder 19->69 71 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 19->71 28 nqqjm.exe 2 4 19->28         started        signatures8 process9 dnsIp10 59 198.23.207.34, 2404, 49700, 49702 AS-COLOCROSSINGUS United States 21->59 47 C:\ProgramData\remcos\logs.dat, data 21->47 dropped 81 Antivirus detection for dropped file 21->81 83 Multi AV Scanner detection for dropped file 21->83 85 Machine Learning detection for dropped file 21->85 87 Installs a global keyboard hook 21->87 30 cmd.exe 1 21->30         started        61 129.204.138.203, 49701, 49703, 49705 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 26->61 49 C:\Users\user\AppData\Roaming\...\rfil.js, ASCII 26->49 dropped 89 Disables the Windows task manager (taskmgr) 28->89 32 wscript.exe 28->32         started        34 mshta.exe 28->34         started        36 mshta.exe 28->36         started        38 5 other processes 28->38 file11 signatures12 process13 process14 40 reg.exe 1 30->40         started        43 conhost.exe 30->43         started        45 nqqjm.exe 32->45         started        signatures15 91 Disables UAC (registry) 40->91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325/
Threat name:
Win32.Dropper.FrauDrop
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 20:36:44 UTC
File Type:
PE (Exe)
Extracted files:
96
AV detection:
24 of 26 (92.31%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2uk5lda5fx6w5amlnpb4xiium7tiaeu7yw3ogxzmdkjeekywmsq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
47d1a6eaebd6f86b35bf9721991446b58fedc5a2402e8a1f2f4998229ce03054
Vjw0rm
56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9
Vjw0rm
6c4ef32846873a184c52ef2b4a195462a46dccfd859dfb1ec0bece847e4c0dc9
Vjw0rm
7557abfdcfdd8a7ea014e293f6ee974f03feb0112d095bee57f0b81e246b1084
Vjw0rm
96a3dfb603ffa89e30c530bf3577f865827cb517485f8de50afc6145470beee5
Vjw0rm
a9f4bd896d80bffd081462737964852868d1b6ed7adbadffaa6941227d54b6e3
Vjw0rm
d816d0e9fd381db98680a65ab54c5be2f4fe406d88f12a8518ed50c2aa25b1ee
Vjw0rm
e0178fa193e55b4761ccb0022ee8de95e537da9e29739d5740e690eb92d4085a
Vjw0rm
ec089cbe284c5a1297a9a4fbbfe11fca160b09140072b67a4b556931119e2c72
Vjw0rm
f104c309cc5489cd6894f2cfb9a3860a37378e2a36a6d97f4e7cd71a34d46970
Vjw0rm
+ 4'318 additional samples on MalwareBazaar
Result
Malware family:
vjw0rm
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:vjw0rm botnet:explorer wds evasion persistence rat trojan worm
Link:
https://tria.ge/reports/221105-cpj45schd6/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Disables Task Manager via registry modification
Executes dropped EXE
Remcos
UAC bypass
Vjw0rm
Malware Config
C2 Extraction:
198.23.207.34:2404
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d0a05742-890f-4fc0-9070-e012ab0f55c6
Unpacked files
SH256 hash:
e1c769fa9b5df66452e258e7110f925c7a9d3d2d399205826f6d8982037f62f7
MD5 hash:
be6c646410236827282358f80ee2e066
SHA1 hash:
e99e63e14c41c7d67787750018cc3b9610f4aaf2
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/9bc22e3e-c89a-4678-b66d-f3fe615a719a/
Parent samples :
5323dc8bea28e435e02e60851888f0bec221a2e89128443f985a3adc1ff12353
56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325
SH256 hash:
ecf0a03854448f1cbf09dddc8d901666af36093612a0419933d712f3f1700667
MD5 hash:
9a51aeaec33c96b99e004daf3f079f52
SHA1 hash:
0c06bede2bfe630dafa0f3cbf93935f7842734aa
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/9bc22e3e-c89a-4678-b66d-f3fe615a719a/
Parent samples :
5323dc8bea28e435e02e60851888f0bec221a2e89128443f985a3adc1ff12353
56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325
SH256 hash:
a01497ba09fd5c730fe83572819117f441166885b5b4a286b9c17f308e45c3da
MD5 hash:
aaa6a8ff605c3b336cc84e55a3e919b1
SHA1 hash:
6bc2326858f244fc62f70a4206a62401e570ac44
Link:
https://www.unpac.me/results/9bc22e3e-c89a-4678-b66d-f3fe615a719a/
SH256 hash:
56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325
MD5 hash:
f83cb2f595ba590173ecc32fe1a4f957
SHA1 hash:
8f70abe57d708789e9c56ad98386c40253224758
Link:
https://www.unpac.me/results/9bc22e3e-c89a-4678-b66d-f3fe615a719a/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56a8aeac60e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vjw0rm

Executable exe 56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/328905/
  
URLhaus
https://urlhaus.abuse.ch/url/2401069/

Comments


Avatar
zbet commented on 2022-11-05 02:15:08 UTC

url : hxxps://humasjatim.id/tin/remcosinjection.exe