General
-
Target
STJQYIULUDCELUOGYJKBGX.vbs
-
Size
6KB
-
Sample
220215-cl9wdscbbr
-
MD5
74f58ac31a1f70bb4c704f31074882c0
-
SHA1
247ab701feff34cef747bf8e388b3639b8af9084
-
SHA256
7c1862829839b836c1c21bb92e65316c1148efefab2028eccf91231bc50fe2c2
-
SHA512
14e0e9a5f63e6b3807378a297146ba08ebdfbc73ff3ed27741761b22d53d3be59bcaa5ff2e06caa6d8d6f2e9d0f6fef9c530260d80fb61d50ea8ad904d990169
Malware Config
Extracted
nworm
v0.3.8
nyanmoj.duckdns.org:5057
moneyhope81.duckdns.org:5057
cb2d3cba
Targets
-
-
Target
STJQYIULUDCELUOGYJKBGX.vbs
-
Size
6KB
-
MD5
74f58ac31a1f70bb4c704f31074882c0
-
SHA1
247ab701feff34cef747bf8e388b3639b8af9084
-
SHA256
7c1862829839b836c1c21bb92e65316c1148efefab2028eccf91231bc50fe2c2
-
SHA512
14e0e9a5f63e6b3807378a297146ba08ebdfbc73ff3ed27741761b22d53d3be59bcaa5ff2e06caa6d8d6f2e9d0f6fef9c530260d80fb61d50ea8ad904d990169
Score10/10-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-