General
-
Target
KTROWQANB.vbs
-
Size
6KB
-
Sample
220210-gtrf8sfben
-
MD5
ae14df44e1c761f6ffd4f775e9c890dd
-
SHA1
53960358beadf51da65921775f40d63770834ff0
-
SHA256
6b235c95eed670e95d5d6a62ce5cb81207cfa20f7c677c715a3fee9297810e3d
-
SHA512
c919b3c70f986095dc0eaf2004a54c28766e77e4398b09697c11dee80c6d5325f0c6570fb57a2df894daf0714552dfb1638c99d8c5e77142d811d5b958440ce4
Static task
static1
Behavioral task
behavioral1
Sample
KTROWQANB.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
KTROWQANB.vbs
Resource
win10v2004-en-20220112
Malware Config
Extracted
http://54.235.58.2/2/Ps1HDF.txt
Extracted
nworm
v0.3.8
nyanmoj.duckdns.org:5057
moneyhope81.duckdns.org:5057
cb2d3cba
Targets
-
-
Target
KTROWQANB.vbs
-
Size
6KB
-
MD5
ae14df44e1c761f6ffd4f775e9c890dd
-
SHA1
53960358beadf51da65921775f40d63770834ff0
-
SHA256
6b235c95eed670e95d5d6a62ce5cb81207cfa20f7c677c715a3fee9297810e3d
-
SHA512
c919b3c70f986095dc0eaf2004a54c28766e77e4398b09697c11dee80c6d5325f0c6570fb57a2df894daf0714552dfb1638c99d8c5e77142d811d5b958440ce4
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-