MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdb89a48813d653020c80002b9993bf9e499200860f7158b4d252daa12cbb1db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vjw0rm

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	bdb89a48813d653020c80002b9993bf9e499200860f7158b4d252daa12cbb1db
SHA3-384 hash:	34ea128e518d24f087af1495392df365d91b5cbdc76b47a2d21111ce1b2089a48e7e00f4ddd14497a3e7a243715d3454
SHA1 hash:	c6d0ac4edf12a65eedbbe387d8add54a7c0798ae
MD5 hash:	cb4d973520751a756027af396ef263fb
humanhash:	emma-arizona-helium-helium
File name:	Invoice PaymentPDF.js
Download:	download sample
Signature	Vjw0rm Create hunting rule
File size:	5'800 bytes
First seen:	2023-10-21 10:35:59 UTC
Last seen:	2023-11-08 14:20:33 UTC
File type:	js
MIME type:	text/plain
ssdeep	96:SABNo5Dyk2c24ZRMHXE6/BIL+Ys+fJ/nDdQqR7bJyKUxvUu/ingHXRZfzYMe/jFT:zSz2c24ZRMlBIaYs+fJ7fRfWingHXRZe
TLSH	T190C1739D288A8A3913D23B8AC06DC10DCCF114B47F28D1A219ACD5C57A0DC7A87F69BD
Reporter	abuse_ch
Tags:	js vjw0rm

abuse_ch

Vjw0rm C2:
http://172.245.244.118:7070/Vre

Intelligence

File Origin

# of uploads :

# of downloads :

309

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.28850.Heur.BadBat.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm evasive explorer lolbin masquerade obfuscated vjworm

Link:

https://www.filescan.io/uploads/6533a9b12c931cd07e19dc1a/reports/9a27dec1-b72b-4eb4-9580-b433d4259094/overview

Verdict:

Malicious

Labled as:

Trojan.JS

Link:

https://www.hybrid-analysis.com/sample/bdb89a48813d653020c80002b9993bf9e499200860f7158b4d252daa12cbb1db

Result

Verdict:

MALICIOUS

Result

Threat name:

VjW0rm

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1329628

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Drops script or batch files to the startup folder

Found malware configuration

JavaScript source code contains functionality to check for AV products

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

JScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: Drops script at startup location

Sigma detected: VjW0rm

System process connects to network (likely due to code injection or exploit)

Uses known network protocols on non-standard ports

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected VjW0rm

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

ASCII

Link:

https://malprob.io/report/bdb89a48813d653020c80002b9993bf9e499200860f7158b4d252daa12cbb1db

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bdb89a48813d653020c80002b9993bf9e499200860f7158b4d252daa12cbb1db/

Threat name:

Script-JS.Downloader.Vajawom

Status:

Malicious

First seen:

2023-10-19 13:16:22 UTC

File Type:

Text (VBS)

AV detection:

23 of 38 (60.53%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xw4jusebhvstaigiaabltgj37hsjsiaimd3rlc2neuw2uewlwhnq._file

Result

Malware family:

vjw0rm

Score:

10/10

Tags:

family:vjw0rm persistence trojan worm

Link:

https://tria.ge/reports/231021-mnajeseb5v/

Behaviour

Enumerates physical storage devices

Adds Run key to start application

Drops startup file

Blocklisted process makes network request

Vjw0rm

Malware Config

C2 Extraction:

http://172.245.244.118:7070

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bdb89a48813d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bdb89a48813d653020c80002b9993bf9e499200860f7158b4d252daa12cbb1db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample