MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bc179211df1495b972c87dc90029973085cca4fea0c26630f33d5dea2a9137f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bc179211df1495b972c87dc90029973085cca4fea0c26630f33d5dea2a9137f
SHA3-384 hash: 56a25574446999494c8a35161fc20fbab61dbff3f103e2dcfb2f9ec1b10485dec25b4537f404b65eb36a38b4ed714b61
SHA1 hash: a7834c3d4cec9de41ec05bd004019f8f0efd1b28
MD5 hash: 85ed4ca41df72e39d732b34c1dfbc3c5
humanhash: yankee-neptune-king-friend
File name:85ed4ca41df72e39d732b34c1dfbc3c5.exe
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:278'528 bytes
First seen:2022-03-19 19:06:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d2806726bc6ee08578ae2fe66ace5f6 (1 x Vjw0rm)
ssdeep 6144:syjHSQxXXq84QYm7NbNkmWaGkQ8/tgKPEpYsBlzO6EpncbK1h6JL6U8QR:ttXqJxz8/tz6K7cO1h++U8Q
TLSH T1644423C507636279DB64E3321470387FA9757AFF2E283BDC5A4046212A13CBDADAE315
File icon (PE):PE icon
dhash icon c480c8c4c8c880fc (1 x Vjw0rm)
Reporter abuse_ch
Tags:exe vjw0rm


Avatar
abuse_ch
Vjw0rm C2:
http://kiomanito.freemyip.com/Vre

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://kiomanito.freemyip.com/Vre https://threatfox.abuse.ch/ioc/423099/

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253009/
Detection(s):
Win.Malware.Brresmon-9877165-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a window
DNS request
Sending an HTTP POST request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed ransomware shell32.dll zbot
Link:
https://www.filescan.io/uploads/623629dab94fb38cb4b091e7/reports/80b79db9-1c81-4c47-a80a-ce7ae7e92074/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24683762-4934-4765-b99e-a28ac0802e3d
Result
Threat name:
VjW0rm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960153
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected VjW0rm
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bc179211df1495b972c87dc90029973085cca4fea0c26630f33d5dea2a9137f/
Threat name:
Win32.Worm.Vjworm
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 03:25:47 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tpaxsii56fevxfzmq7ojaauzomefzssp5igcmyypgpk55ivjcn7q._file
Verdict:
malicious
Result
Malware family:
vjw0rm
Create hunting rule
Score:
  10/10
Tags:
family:vjw0rm persistence trojan worm
Link:
https://tria.ge/reports/220319-xsm1esgdfl/
Behaviour
Adds Run key to start application
Vjw0rm
Malware Config
C2 Extraction:
http://kiomanito.freemyip.com
Unpacked files
SH256 hash:
d56356c78ef9bce5ab5b64bc7cf2f9d0ad05df1d1fad3b8ffe6266c04684b6d4
MD5 hash:
e70be85c96a26edbf8e33fcbe43c7c34
SHA1 hash:
e55b048f5e6a7554dea3ae3c76e99cbfb2ff3b19
Link:
https://www.unpac.me/results/e59997c0-6726-4390-9e18-b4330b72ef72/
SH256 hash:
9bc179211df1495b972c87dc90029973085cca4fea0c26630f33d5dea2a9137f
MD5 hash:
85ed4ca41df72e39d732b34c1dfbc3c5
SHA1 hash:
a7834c3d4cec9de41ec05bd004019f8f0efd1b28
Link:
https://www.unpac.me/results/e59997c0-6726-4390-9e18-b4330b72ef72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/9bc179211df1495b972c87dc90029973085cca4fea0c26630f33d5dea2a9137f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:MyWScript_CompiledScript
Create hunting rule
Author:Florian Roth
Description:Detects a scripte with default name Mywscript compiled with Script2Exe (can also be a McAfee tool https://community.mcafee.com/docs/DOC-4124)
Reference:Internal Research
Rule name:SUSP_MyWScript_RID2C4D
Create hunting rule
Author:Florian Roth
Description:Detects files generated with Script2Exe
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/253009/

Comments