Skip to main content


While hunting for malware we found an interesting Javascript sample, which appears to be benign and purposed to dynamically defining some object properties. But is that all there is to it?

Looking at the status bar, it shows that the file size is 13.65KB, which doesn’t add up if you simply look at the code since it appears to be just a few hundreds of bytes. Scrutinizing it further, you will notice a comment block at the end of the code, which again doesn’t seem very interesting at all since it just looks like some comment with random strings, right? Toggling the word-wrap reveals that it is more than just a random comment.

By now you can tell that something is fishy with a code that is hidden between two (2) large chunks of random-looking comments. Let’s dig deeper and take a look at what this code does.

First, let’s isolate this suspicious code and using a vscode extension we’ll also format the document to have a better view of the Javascript code.

Deep Dive Analysis

Before we continue, let’s see what Varist Hybrid Analyzer can find out from this sample.

The analysis report shows the indicators of internet activity, which we can confirm while doing further analysis on the code.

The code can be simply broken down into four functions:

  1. Data table definition – defines a table that will hold chunks of strings
  2. Data table lookup – returns a string from the data table given an index
  3. Remote code download – downloads remote Javascript code
  4. Dynamic function call – executes the downloaded Javascript code

In summary, this hidden piece of code downloads and executes another Javascript code from hxxps://blawx[.]com/letter.php?9280, which follows the same format of hiding code between large comment blocks as shown below:

Varist Hybrid Analyzer, reports indicators of Powershell execution activity and internet activity, which is confirmed through analysis to download and implant a final payload into the affected system.

The Powershell code behavior can be broken-down into the following actions:

  1. Downloads base64 encoded data from hxxps://boxtechcompany[.]com/1/GetData.php?6897
  2. Creates a folder in %ApplicationData% with the name DIVX<random number>
  3. Saves the decoded data to %ApplicationData%\DIVX<random number>\
  4. Extracts the contents of the saved ZIP archive into the created folder
  5. For persistence, adds %ApplicationData%\DIVX<random number>\client32.exe in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The file client32.exe, which Varist detects as W32/Tool.EQYN-2153, is a variant of NetSupport remote administration tool.


Based on the above findings and the presence of a few indicators such as the licensee name HANEYMANEY found in the NetSupport RAT license file, these set of samples were observed to be related to the SocGholish activity which is attributed to the adversary group TA569.

Checking the configuration file, Client32.ini, we can also find the C2 server IP from its GatewayAddress field as shown in the screenshots below.

From further digging, there is a big possibility that this malware is delivered via malware advertisements, also known as malvertisements, based on findings related to the Javascript file name, BILL54878.js, possibly downloaded from a URL linked to Google Ads.

Best Practices and Recommendations

Varist highly recommends keeping your antivirus definitions up to date and exercising caution when opening attachments, even if they are from someone you trust, doing so will help protect you from social engineering attacks delivering malware. 

See how Varist’s Hybrid Analyzer can turbo-charge your malware analysis pipeline with our free demo. Head over here to take a look.

Indicators of Compromise

TypeIndicatorDescriptionVarist Detection
URLhxxp://adclick[.]g[.]doubleclick[.]net/aclk?sa=L&ai=Br-lWs9D-UuqXJ-3W0AHXjoBIgZrh2wQAAAAQASCB24gaOABY2YWF7IUBYM3Q5YCQA7IBFWNsaWNram9nb3MudW9sLmNvbS5icroBCWdmcF9pbWFnZcgBCdoBM2h0dHA6Ly9jbGlja2pvZ29zLnVvbC5jb20uYnIvam9nb3MvM2QtZmVycmFyaS1mNDU4L6kCUuihKYoXnD7AAgLgAgDqAhovODQyMjAzMy9nYW1lX2ludGVyc3RpdGlhbPgC_9EekAOcBJgD2ASoAwHQBJBO4AQBoAYf&num=0&sig=AOD64_3QPS9aAcXGF8Lodprvo3IIHRNu1Q&client=ca-pub-8399249277895561&adurl=/// link
URLhxxps://gg[.]gg/carzzz#rTMalvertisement redirection link
URLhxxps://blawx[.]com/#rTMalvertisement landing page
URLhxxps://blawx[.]com/#downloadDrive-by download link
SHA256eebb69a2374dbd4def5e52e2264b544e02abdc1cc0114e5137f4d49ce3c50bebBILL54878.js – Downloader malwareJS/Downldr.EO.gen!Eldorado, JS/Downldr.WI!Eldorado
URLhxxps://blawx[.]com/letter.php?9280Remote Javascript URL
SHA256b8ab3638aa059c62f5bd3c71bb8863c7be11c758b858622bb5da565717278696Initial Javascript payloadJS/Agent.CDM.gen!Eldorado
URLhxxps://boxtechcompany[.]com/1/GetData.php?6897Final payload URL
SHA256bb43c603375bda9cb8529863191f4d61dc62f880f01860b1107066cede52e519Base64 encoded payloadW32/Tool.EQYN-2153 – Final payload packageW32/Tool.EQYN-2153
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2dclient32.exe – NetSupport RATW32/Tool.EQYN-2153
NameHANEYMANEYNetSupport RAT licensee name
IP81.19.137.226C2 host