Overview

overview

10

Static

static

YBAXAKQXVYWIXQJDE.vbs

windows7_x64

10

YBAXAKQXVYWIXQJDE.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    YBAXAKQXVYWIXQJDE.VBS

  • Size

    9KB

  • Sample

    220308-vvx73aheh9

  • MD5

    40f92eb4b46a3430167477d11dec4c9e

  • SHA1

    515ad5cac3f5b9ed1e7a7e14d53a191a12193984

  • SHA256

    8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f

  • SHA512

    80de7c828aff509a8d0ddbee61f52ed1ade6a3b562f2aa51082eae7c1631fcdf58d375b94457261481b1a8bfc90033e275444d7f765dff7c0c6d99635408989e

Score
10/10
nwormdownloaderworm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://transfer.sh/get/8J0O0I/Server435.txt

Extracted

Family

nworm

Version

v0.3.8

C2

nyanwmoney.duckdns.org:8891

Mutex

594274bc

Targets

    • Target

      YBAXAKQXVYWIXQJDE.VBS

    • Size

      9KB

    • MD5

      40f92eb4b46a3430167477d11dec4c9e

    • SHA1

      515ad5cac3f5b9ed1e7a7e14d53a191a12193984

    • SHA256

      8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f

    • SHA512

      80de7c828aff509a8d0ddbee61f52ed1ade6a3b562f2aa51082eae7c1631fcdf58d375b94457261481b1a8bfc90033e275444d7f765dff7c0c6d99635408989e

    Score
    10/10
    nwormdownloaderworm

    • NWorm

      A TrickBot module used to propagate to vulnerable domain controllers.

      wormdownloadernworm

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks