MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7
SHA3-384 hash: 5d870a94be468f37b69de38824bdc16e0c0c3ccb88a9ac47c2202b9feb8786ebb3c019523c908ab4b6569c625116c3a1
SHA1 hash: 64d927347d0c0786527532d86949919c076321c1
MD5 hash: 30260b612d994b6c7e5ff1febcb9a157
humanhash: mars-batman-diet-speaker
File name:30260b612d994b6c7e5ff1febcb9a157.exe
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:555'008 bytes
First seen:2023-05-14 00:25:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:UfIub9KMhn1PtO9yD34A81qsEh67FplSb2N8AF+IxOSEEmQiv0df8s/RcSklTWkA:kIuYAJ4Ms/bh
Threatray 465 similar samples on MalwareBazaar
TLSH T1A6C47D2928AF50ADA17BFF613EE87DDEDDDEE6632505641B1082030B4912F81EF4297D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 2c6c00c066a66630 (2 x Vjw0rm, 2 x WSHRAT, 1 x Loda)
Reporter abuse_ch
Tags:exe vjw0rm


Avatar
abuse_ch
Vjw0rm C2:
http://142.202.242.176:2023/is-ready

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
wshrat
Create hunting rule
ID:
1
File name:
30260b612d994b6c7e5ff1febcb9a157.exe
Verdict:
Malicious activity
Analysis date:
2023-05-14 00:56:37 UTC
Tags:
evasion trojan wshrat vjworm
Link:
https://app.any.run/tasks/ba5369a0-561d-4156-a9ab-29c9efcc279a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/389284/
Detection(s):
SecuriteInfo.com.Variant.Razy.628496.17905.26054.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Sending an HTTP POST request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
exploit packed wscript.exe
Link:
https://www.filescan.io/uploads/64602a9a446f9ce94a65ad09/reports/82dcae0e-5194-49f5-9750-eb7c4b45f8c4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b3db1596-6c0b-4ede-b780-623617d04f0e
Result
Threat name:
VjW0rm, WSHRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232374
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates multiple autostart registry keys
Drops script or batch files to the startup folder
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
Sigma detected: VjW0rm
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Windows Shell Script Host drops VBS files
Wscript called in batch mode (surpress errors)
Yara detected AntiVM3
Yara detected VjW0rm
Yara detected WSHRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865354 Sample: Y9IlbIEYjk.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 100 64 Sigma detected: Register Wscript In Run Key 2->64 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 16 other signatures 2->70 7 Y9IlbIEYjk.exe 3 2->7         started        11 wscript.exe 2->11         started        13 wscript.exe 2->13         started        16 5 other processes 2->16 process3 dnsIp4 38 C:\Users\user\AppData\Roaming\JoGjo.vbs, assembler 7->38 dropped 40 C:\Users\user\AppData\...\Y9IlbIEYjk.exe.log, CSV 7->40 dropped 80 Potential malicious VBS script found (suspicious strings) 7->80 82 Potential malicious VBS script found (has network functionality) 7->82 84 Potential evasive VBS script found (sleep loop) 7->84 18 wscript.exe 9 503 7->18         started        86 System process connects to network (likely due to code injection or exploit) 11->86 88 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 11->88 90 Wscript called in batch mode (surpress errors) 11->90 54 104.20.67.143, 443, 49694, 49695 CLOUDFLARENETUS United States 13->54 56 pastebin.com 13->56 23 wscript.exe 13->23         started        58 vj7974.duckdns.org 16->58 60 vj7974.duckdns.org 16->60 62 vj7974.duckdns.org 16->62 file5 signatures6 process7 dnsIp8 46 wshsoft.company 194.59.164.67, 49698, 80 AS-HOSTINGERLT Germany 18->46 48 vj7974.duckdns.org 142.202.242.176, 2023, 49688, 49689 1GSERVERSUS Reserved 18->48 50 2 other IPs or domains 18->50 30 C:\Users\user\AppData\Roaming\...\pythonw.exe, PE32 18->30 dropped 32 C:\Users\user\AppData\...\python37.dll, PE32 18->32 dropped 34 C:\Users\user\AppData\Roaming\...\python3.dll, PE32 18->34 dropped 36 516 other files (352 malicious) 18->36 dropped 72 System process connects to network (likely due to code injection or exploit) 18->72 74 Potential malicious VBS script found (suspicious strings) 18->74 76 Potential malicious VBS script found (has network functionality) 18->76 78 7 other signatures 18->78 25 wscript.exe 2 14 18->25         started        file9 signatures10 process11 dnsIp12 52 vj7974.duckdns.org 25->52 42 C:\Users\user\AppData\Roaming\...\windows.js, ASCII 25->42 dropped 44 C:\Users\user\AppData\Local\Temp\windows.js, ASCII 25->44 dropped 92 Creates multiple autostart registry keys 25->92 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-05-14 00:26:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=47kgfzo2idjhr4hqatzjdzcp3y5pbvvdxfkvcmm4jjsvlpgc52tq._file
Verdict:
malicious
Similar samples:
0553b17fec9602ac18d015f7f9278faedc2897e7d3d5000862ed73f26b741b0f
Vjw0rm
56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325
Vjw0rm
6a777b549217c374615a6a26c7181fbef94ff5d239b8e1986074ed7c93d62338
Vjw0rm
7557abfdcfdd8a7ea014e293f6ee974f03feb0112d095bee57f0b81e246b1084
Vjw0rm
7e549fd76a7595d0531d7e10bff5c60bdedd7d67d2693d09357fe9546d7988a1
Vjw0rm
8c10b647fa6367b62a1cb828ebea88bbfdc90d7428275b02aa5c05a33d7a182a
Vjw0rm
8e1a2000df320c4e6359972dd138e574e4b620e3c571d2d0052fdf75644f2c7b
Vjw0rm
a9f4bd896d80bffd081462737964852868d1b6ed7adbadffaa6941227d54b6e3
Vjw0rm
fa2e0066a72e409c12bb2f71eb282d8feb9cf7a956ed51a22a69c4a43c7a9dba
Vjw0rm
+ 455 additional samples on MalwareBazaar
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:vjw0rm family:wshrat persistence trojan worm
Link:
https://tria.ge/reports/230514-aq6y7acd7x/
Behaviour
Modifies registry class
Script User-Agent
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Vjw0rm
WSHRAT
WSHRAT payload
Malware Config
C2 Extraction:
http://vj7974.duckdns.org:7974
Unpacked files
SH256 hash:
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7
MD5 hash:
30260b612d994b6c7e5ff1febcb9a157
SHA1 hash:
64d927347d0c0786527532d86949919c076321c1
Link:
https://www.unpac.me/results/9eca411e-59f1-4b9f-b078-a8a21b29b40c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent
Create hunting rule
Author:ditekSHen
Description:Detects executables containing base64 encoded User Agent
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vjw0rm

Executable exe e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2631520/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/389284/

Comments