MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c908b6ba4c4b07019b13a64ef1a29b1d468e73244cac07b7efd929fb75103f1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c908b6ba4c4b07019b13a64ef1a29b1d468e73244cac07b7efd929fb75103f1b
SHA3-384 hash: 04c2304769b03edd61942fc3b4cacd2d77327bf7343d9c35cabe8cb12b8a5bf30307aa153d6cb5e97650fa1f07ac234a
SHA1 hash: db8cc347e36952f61901d70cf95c2a90f908beea
MD5 hash: 4339e8acd7434e3871eaf9b1d5f79918
humanhash: social-quebec-south-orange
File name:C908B6BA4C4B07019B13A64EF1A29B1D468E73244CAC0.exe
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:7'507'456 bytes
First seen:2022-10-15 13:36:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 196608:SkVy88mjucJbd91gb9hXJPmSC5ltjWyrVqJzN:lVsmjTb9IPmS0lxrV
Threatray 288 similar samples on MalwareBazaar
TLSH T17876336B7A848BA5C27618F040DF446603C26C575B3AD78275C53AD60EB23E8DC8F7DA
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71e0d4d2f8fcf071 (1 x Vjw0rm)
Reporter abuse_ch
Tags:exe vjw0rm


Avatar
abuse_ch
Vjw0rm C2:
http://kraldeli.linkpc.net:3/Vre

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://kraldeli.linkpc.net:3/Vre https://threatfox.abuse.ch/ioc/891264/

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320591/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.59012.22309.13768.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Searching for the window
Enabling the 'hidden' option for recently created files
Possible injection to a system process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634ab77f339362a6061a7b3f/reports/5dfd4218-2d0a-4e46-8bde-dbfdfcb34356/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e194f0f-5f4c-4872-9e91-ee31cdbedb6e
Result
Threat name:
VjW0rm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1091199
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates processes via WMI
Drops script or batch files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: VjW0rm
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected VjW0rm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 723809 Sample: C908B6BA4C4B07019B13A64EF1A... Startdate: 15/10/2022 Architecture: WINDOWS Score: 100 63 kraldeli.linkpc.net 2->63 77 Antivirus detection for dropped file 2->77 79 Antivirus / Scanner detection for submitted sample 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 8 other signatures 2->83 9 C908B6BA4C4B07019B13A64EF1A29B1D468E73244CAC0.exe 3 9 2->9         started        12 wscript.exe 12 2->12         started        16 wscript.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 57 C:\Users\user\AppData\...\KMSoffline_x64.exe, PE32+ 9->57 dropped 59 C908B6BA4C4B07019B...8E73244CAC0.exe.log, ASCII 9->59 dropped 20 wscript.exe 2 14 9->20         started        25 KMSoffline_x64.exe 2 9->25         started        27 wscript.exe 9->27         started        67 kraldeli.linkpc.net 12->67 97 System process connects to network (likely due to code injection or exploit) 12->97 99 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 12->99 29 schtasks.exe 12->29         started        69 kraldeli.linkpc.net 16->69 31 schtasks.exe 16->31         started        71 cdn.discordapp.com 162.159.130.233, 443, 49719 CLOUDFLARENETUS United States 18->71 73 kraldeli.linkpc.net 18->73 75 kraldeli.linkpc.net 18->75 61 C:\Users\user\AppData\Roaming\mnb.vbs, Unicode 18->61 dropped 33 schtasks.exe 18->33         started        35 schtasks.exe 18->35         started        37 conhost.exe 18->37         started        39 wscript.exe 18->39         started        file6 signatures7 process8 dnsIp9 65 kraldeli.linkpc.net 84.51.52.166, 1143, 3, 49718 TELLCOM-ASTR Turkey 20->65 53 C:\Users\user\AppData\Roaming\...\kms.js, ASCII 20->53 dropped 55 C:\Users\user\AppData\Local\Temp\kms.js, ASCII 20->55 dropped 85 Drops script or batch files to the startup folder 20->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 20->87 89 Creates processes via WMI 20->89 91 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 20->91 41 schtasks.exe 1 20->41         started        93 Multi AV Scanner detection for dropped file 25->93 95 Machine Learning detection for dropped file 25->95 43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        49 conhost.exe 35->49         started        file10 signatures11 process12 process13 51 conhost.exe 41->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c908b6ba4c4b07019b13a64ef1a29b1d468e73244cac07b7efd929fb75103f1b/
Threat name:
ByteCode-MSIL.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2022-10-13 23:36:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zeelnosmjmdqdgytuzhpdiu3dvdi44zejswapn7p3eu7w5iqh4nq._file
Verdict:
malicious
Similar samples:
1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4
Vjw0rm
51e6527daa5a10028c434c7ceaed1570ddd95e1de0eafa702f77860cec3d0b7c
Vjw0rm
5ebb56bfa3cb77f522c007d692cccf9c9a6703ed5133d2760fbfff8801962c4d
Vjw0rm
a32437ab62c0ac90c236c6a8e33bd6b57e661cd83aaae7d6c9f371eefca5a7a5
Vjw0rm
ac3b32a95de5abf9c4e23a6f0f30691ff8e28c3e6a49b4a8c921c91da617c818
Vjw0rm
b99300d00050e4a8b2b0873723a9783b172776ba8cb7500d65e6d93bc3d37147
Vjw0rm
d486573a12a0a407b7ae295318b59e750fb63cd9de6d46cceb2c173ae0b6b650
Vjw0rm
ea788bc88806cc4632d36e119da7184e0923ac55439b044c73ca1c0f48f9e048
Vjw0rm
f9830090b4f92cddd5fcfc37eb596fb883bfd69ba854153c2e3c7d08e09c5f1e
Vjw0rm
+ 278 additional samples on MalwareBazaar
Result
Malware family:
vjw0rm
Create hunting rule
Score:
  10/10
Tags:
family:vjw0rm persistence trojan worm
Link:
https://tria.ge/reports/221015-qws8aafffj/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Process spawned unexpected child process
Vjw0rm
Malware Config
Dropper Extraction:
https://cdn.discordapp.com/attachments/984839998429876294/1007422794927181986/kms.vbs
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f744ce4e-0a44-45de-9c52-eaa6a33b05a1
Unpacked files
SH256 hash:
7e91d3dcffa65eac72b4c2f8fcec421cca442a0729f419fc993349b8cb9f9f34
MD5 hash:
a7f173f9d77ff3022ca8ffac1592bf89
SHA1 hash:
dbf9b0ef14b46a3bfcf77e1627e87b0abd4f3422
Link:
https://www.unpac.me/results/29e2c9d2-fa07-4345-a620-e8e8cefde183/
SH256 hash:
c908b6ba4c4b07019b13a64ef1a29b1d468e73244cac07b7efd929fb75103f1b
MD5 hash:
4339e8acd7434e3871eaf9b1d5f79918
SHA1 hash:
db8cc347e36952f61901d70cf95c2a90f908beea
Link:
https://www.unpac.me/results/29e2c9d2-fa07-4345-a620-e8e8cefde183/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c908b6ba4c4b07019b13a64ef1a29b1d468e73244cac07b7efd929fb75103f1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/320591/

Comments