MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a394d20736a664d2d1bdf79c05799eb30739c7c21770671e93110792914b02e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a394d20736a664d2d1bdf79c05799eb30739c7c21770671e93110792914b02e
SHA3-384 hash: 0fee4981ac26ebf3446fe8a548dd5230dc3a22b4ae56f4a006ecc601bc5f840ef05f24478e482ad24fb75ede1eebf986
SHA1 hash: a1e98d0e2d396a42eb0893c44cddeebce61179c7
MD5 hash: e1e19d0181a7616be3a80771a12ba6f5
humanhash: eighteen-lake-mango-batman
File name:mlieVzlYbq_detailsaccount_activity.js
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:399'445 bytes
First seen:2022-09-07 15:27:13 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:Ijuod5KPygUYu4oso+1JysoG1fQoRdk/Y1FQ9yMnhaNiI2:Iju6gu1NG1xRbRu
TLSH T1A4842A65BB885A8DF6980A8BE07C6DAE77F35B05C5E3B3CCA3A7354B255EE1D1508C00
Reporter 0xToxin
Tags:js vjw0rm

Intelligence

File Origin
# of uploads :
1
# of downloads :
459
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm evasive hacktool obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/6318b860d94ccae4108300d2/reports/b4166d81-1ff7-419d-855f-3672336b159e/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
VjW0rm, AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066549
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Benign windows process drops PE files
Drops script or batch files to the startup folder
Installs a global keyboard hook
JavaScript source code contains functionality to generate code involving a shell, file or stream
JScript performs obfuscated calls to suspicious functions
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential obfuscated javascript found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: VjW0rm
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Wscript called in batch mode (surpress errors)
Yara detected AgentTesla
Yara detected VjW0rm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 699086 Sample: mlieVzlYbq_detailsaccount_a... Startdate: 07/09/2022 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 7 other signatures 2->50 6 wscript.exe 3 2->6         started        10 wscript.exe 12 2->10         started        13 wscript.exe 12 2->13         started        15 wscript.exe 2->15         started        process3 dnsIp4 26 C:\Users\user\AppData\...\document_memo.exe, PE32 6->26 dropped 28 C:\Users\user\AppData\RoamingDrlmddqAI.js, ASCII 6->28 dropped 62 System process connects to network (likely due to code injection or exploit) 6->62 64 Benign windows process drops PE files 6->64 66 JScript performs obfuscated calls to suspicious functions 6->66 68 3 other signatures 6->68 17 document_memo.exe 2 6->17         started        21 wscript.exe 2 13 6->21         started        36 javaautorun.duia.ro 10->36 38 192.168.2.1 unknown unknown 10->38 40 javaautorun.duia.ro 13->40 42 javaautorun.duia.ro 15->42 file5 signatures6 process7 dnsIp8 30 mail.qsabd.com 17->30 32 mail.qsabd.com 68.65.122.106, 26, 49735 NAMECHEAP-NETUS United States 17->32 52 Antivirus detection for dropped file 17->52 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->56 60 6 other signatures 17->60 34 javaautorun.duia.ro 91.192.100.8, 49724, 49726, 49727 AS-SOFTPLUSCH Switzerland 21->34 24 C:\Users\user\AppData\...DrlmddqAI.js, ASCII 21->24 dropped file9 58 System process connects to network (likely due to code injection or exploit) 30->58 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a394d20736a664d2d1bdf79c05799eb30739c7c21770671e93110792914b02e/
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 15:28:06 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 26 (26.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=li4u2idtnjte2li33544av4z5myhhhd4ef3qm4pjgeihskiuwaxa._file
Result
Malware family:
vjw0rm
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:vjw0rm collection keylogger persistence spyware stealer trojan worm
Link:
https://tria.ge/reports/220908-fwrdksdfh9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
AgentTesla
Vjw0rm
Malware Config
C2 Extraction:
p=
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5a394d20736a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/5a394d20736a664d2d1bdf79c05799eb30739c7c21770671e93110792914b02e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Double_Base64_Encoded_Executable
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889
Rule name:SUSP_Double_Base64_Encoded_Executable_RID34CC
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Vjw0rm

Java Script (JS) js 5a394d20736a664d2d1bdf79c05799eb30739c7c21770671e93110792914b02e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments