Overview

overview

10

Static

static

ANVJYRGCEH...KR.vbs

windows7_x64

10

ANVJYRGCEH...KR.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ANVJYRGCEHLJVEQHRRQKR.VBS

  • Size

    5KB

  • Sample

    220304-x3s97affe5

  • MD5

    b8e6f98016f0cbb8ab5b6d8699538648

  • SHA1

    fd72b20ec5ecf894454f319808582b43b769df05

  • SHA256

    9841a5ee76188c7c50f2438e125fa6d60416704e7d40885571491cec4729dd90

  • SHA512

    c67f7254b27a61e1a674e64f7aab56c1ee0aaeebcfe451343d8375e687516bfad6e9d002039d446b5955c28a13a46741ba00d72a5f25de9c2dc32e76f769d6f3

Score
10/10
nwormdownloaderworm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://rebrand.ly/rlzgijk

Extracted

Family

nworm

Version

v0.3.8

C2

nyanwmoney.duckdns.org:8891

Mutex

594274bc

Targets

    • Target

      ANVJYRGCEHLJVEQHRRQKR.VBS

    • Size

      5KB

    • MD5

      b8e6f98016f0cbb8ab5b6d8699538648

    • SHA1

      fd72b20ec5ecf894454f319808582b43b769df05

    • SHA256

      9841a5ee76188c7c50f2438e125fa6d60416704e7d40885571491cec4729dd90

    • SHA512

      c67f7254b27a61e1a674e64f7aab56c1ee0aaeebcfe451343d8375e687516bfad6e9d002039d446b5955c28a13a46741ba00d72a5f25de9c2dc32e76f769d6f3

    Score
    10/10
    nwormdownloaderworm

    • NWorm

      A TrickBot module used to propagate to vulnerable domain controllers.

      wormdownloadernworm

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks