MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2
SHA3-384 hash: 92f2182a5a03d3180e3a79ea444390808d0fe9e92f3efcc0125126982b7d63750f937821137a0a16592b1518ca9b2887
SHA1 hash: 327e83c2886c42896804ab87ca6996cb621e9b71
MD5 hash: fa584c2b021aed55aff0c764aee1cff0
humanhash: quebec-fruit-nine-pizza
File name:EncKAO.vbs
Download: download sample
Signature N-W0rm
Create hunting rule
File size:3'775 bytes
First seen:2022-02-22 19:06:03 UTC
Last seen:2022-03-21 06:49:34 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:JRrjleLz4IYOINpCDwk/pKI7Y/j+hAderriwx7QkquS/:Llen4IYOsEwk/pIChAderrvx7QkvS/
Threatray 1'245 similar samples on MalwareBazaar
TLSH T1B171A374B0247AF38D02BD29D0E891731E7334345AFBA582882106371EF9DBA27DA247
Reporter adm1n_usa32
Tags:dropper N-W0rm nworm vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
661
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243425/
Detection(s):
SecuriteInfo.com.JS.Trojan.Cryxos.8146.4518.18912.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62153420875593a3cc04e69e/reports/87073e1d-8824-4c9a-8347-4f4735b5d9b4/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
NWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944238
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected NWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576713 Sample: EncKAO.vbs Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 10 other signatures 2->66 8 wscript.exe 1 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 2->13         started        15 wscript.exe 2->15         started        process3 signatures4 80 VBScript performs obfuscated calls to suspicious functions 8->80 82 Wscript starts Powershell (via cmd or directly) 8->82 84 Obfuscated command line found 8->84 90 2 other signatures 8->90 17 powershell.exe 14 25 8->17         started        86 Suspicious powershell command line found 11->86 88 PowerShell case anomaly found 11->88 22 cmd.exe 1 11->22         started        24 conhost.exe 11->24         started        26 cmd.exe 13->26         started        28 conhost.exe 13->28         started        process5 dnsIp6 56 3.145.46.6, 49747, 80 AMAZON-02US United States 17->56 48 C:\ProgramData\...\WZQNBDSLVGAWPUXJRUVDYE.ps1, ASCII 17->48 dropped 50 C:\ProgramData\...\LZAVOBYIRFWZQZVCTGHPQB.vbs, ASCII 17->50 dropped 52 C:\ProgramData\...\LZAVOBYIRFWZQZVCTGHPQB.ps1, ASCII 17->52 dropped 54 C:\ProgramData\...\LZAVOBYIRFWZQZVCTGHPQB.bat, DOS 17->54 dropped 72 Suspicious powershell command line found 17->72 74 Bypasses PowerShell execution policy 17->74 30 powershell.exe 36 17->30         started        32 conhost.exe 17->32         started        76 Wscript starts Powershell (via cmd or directly) 22->76 78 PowerShell case anomaly found 22->78 34 powershell.exe 14 22->34         started        37 powershell.exe 26->37         started        file7 signatures8 process9 signatures10 39 wscript.exe 30->39         started        68 Writes to foreign memory regions 34->68 70 Injects a PE file into a foreign processes 34->70 41 aspnet_compiler.exe 34->41         started        44 aspnet_compiler.exe 34->44         started        46 aspnet_compiler.exe 37->46         started        process11 dnsIp12 58 nyanmoj.duckdns.org 37.120.141.190, 49778, 5057 M247GB Romania 41->58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 19:06:23 UTC
File Type:
Text (VBS)
AV detection:
12 of 28 (42.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dokw5jtcmfszk3vis7kddaato3trrh4w4fe54gzo4l7nnfckhcza._file
Verdict:
unknown
Similar samples:
067e76900265c87d66a44f765bb720bd310e52181badf19efd63f30210f62001
N-W0rm
32060ba18c4ed29f6a441b6193a2e6376bb43c752709558f046e9365b7275559
N-W0rm
3d030fbfbe328bc4f276d565854f89189094ddb46dc1c6d36e8e9a438227279f
N-W0rm
4ab15234cdc0baf746b77352e6d47af4643544c48c32653bd215c6e5296b6f3c
N-W0rm
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
N-W0rm
914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
N-W0rm
92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448
N-W0rm
cdf45f57fd8885bea02e2fcaf7b3a13c3f8185827cee1ef348a22cb36c1886c0
N-W0rm
dda839584708cdc28f165d0f387a43dbd32b7f56bba0af7c942ee2b751e9ab75
N-W0rm
eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1
N-W0rm
+ 1'235 additional samples on MalwareBazaar
Result
Malware family:
nworm
Create hunting rule
Score:
  10/10
Tags:
family:nworm downloader worm
Link:
https://tria.ge/reports/220222-xr3z9aceh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
NWorm
Process spawned unexpected child process
Malware Config
C2 Extraction:
nyanmoj.duckdns.org:5057
moneyhope81.duckdns.org:5057
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

N-W0rm

Visual Basic Script (vbs) vbs 1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2

(this sample)

anyrun
any.run
https://app.any.run/tasks/d4ea530e-a1ce-4ac4-a533-90272cf44b1d
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/243425/

Comments


Avatar
Adm1n 32 USA commented on 2022-02-22 19:07:46 UTC

extracted from html file and modified so it works as a standalone VBS