MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e549fd76a7595d0531d7e10bff5c60bdedd7d67d2693d09357fe9546d7988a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e549fd76a7595d0531d7e10bff5c60bdedd7d67d2693d09357fe9546d7988a1
SHA3-384 hash: 97ce7d5765ff908a089c7f931573ba64b312df3a9b233f5c5a994d8ae65062f90211b1893fa1e88618bd4794bc91ad18
SHA1 hash: df4c62dca8b0f3ff2f224d35b01122bb75d7b40f
MD5 hash: 76c340c42e30fa690411c615dde06832
humanhash: east-oregon-music-skylark
File name:ORDER AT HAND URGENT.js
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:2'522'763 bytes
First seen:2023-03-02 12:28:11 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24576:wrcugOXZF93PIWzXhFERw+dID7RKSR5r7n6HHJ8ZC1oQVGIvAjU8XH+Z36UtwfB8:CfBDz9K
TLSH T11BC540729E23489122879A23663E40A9D6570F178F62758EFD5EB513EFCE60CC1B17B0
Reporter abuse_ch
Tags:js vjw0rm

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm evasive obfuscated
Link:
https://www.filescan.io/uploads/6400968ebfec0852a68e7436/reports/520a18b2-3be0-42cb-aaf0-0c146622bd43/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7e549fd76a7595d0531d7e10bff5c60bdedd7d67d2693d09357fe9546d7988a1
Result
Verdict:
UNKNOWN
Result
Threat name:
VjW0rm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185934
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops script or batch files to the startup folder
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: VjW0rm
System process connects to network (likely due to code injection or exploit)
Yara detected VjW0rm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 818800 Sample: ORDER AT HAND URGENT.js Startdate: 02/03/2023 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Antivirus detection for URL or domain 2->43 45 Yara detected VjW0rm 2->45 47 3 other signatures 2->47 8 wscript.exe 3 3 2->8         started        12 wscript.exe 12 2->12         started        process3 dnsIp4 27 C:\Users\user\AppData\Roaming\vSGNXlMuXH.js, ASCII 8->27 dropped 29 C:\Users\user\AppData\...\mbsayyuuhb.txt, Zip 8->29 dropped 49 System process connects to network (likely due to code injection or exploit) 8->49 51 JScript performs obfuscated calls to suspicious functions 8->51 53 Drops script or batch files to the startup folder 8->53 55 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 8->55 15 wscript.exe 1 13 8->15         started        19 javaw.exe 23 8->19         started        31 javaautorun.duia.ro 12->31 file5 signatures6 process7 dnsIp8 33 javaautorun.duia.ro 91.193.75.131, 49698, 49930, 50027 DAVID_CRAIGGG Serbia 15->33 25 C:\Users\user\AppData\...\vSGNXlMuXH.js, ASCII 15->25 dropped 35 github.com 140.82.121.3, 443, 49699, 49706 GITHUBUS United States 19->35 37 140.82.121.4, 443, 50337, 50338 GITHUBUS United States 19->37 39 3 other IPs or domains 19->39 21 icacls.exe 1 19->21         started        file9 process10 process11 23 conhost.exe 21->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e549fd76a7595d0531d7e10bff5c60bdedd7d67d2693d09357fe9546d7988a1/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pzkj7v3kowk5auy5pyil75ogbppn27lh2jut2cjvp7uvi3lzrcqq._file
Result
Malware family:
vjw0rm
Create hunting rule
Score:
  10/10
Tags:
family:strrat family:vjw0rm persistence stealer trojan worm
Link:
https://tria.ge/reports/230302-pnxeasce5y/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
STRRAT
Vjw0rm
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e549fd76a75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/7e549fd76a7595d0531d7e10bff5c60bdedd7d67d2693d09357fe9546d7988a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments