General
-
Target
CQNUQGCNZ.VBS
-
Size
10KB
-
Sample
220211-wrglksdaf5
-
MD5
6612508aa88431555344552cb01f160e
-
SHA1
27996b57e0e6f57c28c99f6f6689683d4baca2d5
-
SHA256
cccccb888c81985ab515e56c035ae0e5708b88d8a8ef3b08a1a9d990fbbe83cd
-
SHA512
90c375626a3aeaf61b9aa77f1019c29e0215bbeb1e22f1cb22f8c4d55733177c0af674999e3829e9b838ee5b2b589259b479bfcf2855f6089afd8ae796a5f12c
Malware Config
Extracted
nworm
v0.3.8
nyanmoj.duckdns.org:5057
moneyhope81.duckdns.org:5057
cb2d3cba
Targets
-
-
Target
CQNUQGCNZ.VBS
-
Size
10KB
-
MD5
6612508aa88431555344552cb01f160e
-
SHA1
27996b57e0e6f57c28c99f6f6689683d4baca2d5
-
SHA256
cccccb888c81985ab515e56c035ae0e5708b88d8a8ef3b08a1a9d990fbbe83cd
-
SHA512
90c375626a3aeaf61b9aa77f1019c29e0215bbeb1e22f1cb22f8c4d55733177c0af674999e3829e9b838ee5b2b589259b479bfcf2855f6089afd8ae796a5f12c
Score10/10-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-