General

  • Target

    d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd

  • Size

    17KB

  • Sample

    220731-kebn1sgcc4

  • MD5

    c6ef22d341307db526ba8f5fe2a00d12

  • SHA1

    915e592739f6561fa871d0754f12a3a3d50153ee

  • SHA256

    d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd

  • SHA512

    5b34ff33b0c42e0b6fd3eeeeca7accf44b2b4bd71b834a047fcccb321413b046b93db335da6c4b626fae352ff40e6219aa1adcce871f80dd0a06d59ff1340bd0

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

win32update.duckdns.org:5553

xmrdjo.duckdns.org:5553

Mutex

4f9c371b

Targets

    • Target

      d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd

    • Size

      17KB

    • MD5

      c6ef22d341307db526ba8f5fe2a00d12

    • SHA1

      915e592739f6561fa871d0754f12a3a3d50153ee

    • SHA256

      d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd

    • SHA512

      5b34ff33b0c42e0b6fd3eeeeca7accf44b2b4bd71b834a047fcccb321413b046b93db335da6c4b626fae352ff40e6219aa1adcce871f80dd0a06d59ff1340bd0

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NWorm

      A TrickBot module used to propagate to vulnerable domain controllers.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v6

Tasks