MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9ed
SHA3-384 hash: cacfb826a15b14465935baacdb2ed6c7b14ba7c4742062332e3988930391f920d8345f58d23941705a7e200fbd579eac
SHA1 hash: fe949c7d2a6e7fdbfe80f88b77ac121ff78473e0
MD5 hash: 07f93a3fafb4bdfc8ee14e75d3a067ed
humanhash: tennis-timing-oven-magazine
File name:07f93a3fafb4bdfc8ee14e75d3a067ed.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:605'696 bytes
First seen:2023-08-01 14:40:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:d8Ax7GrNHgsg5vcj61pn5P2uFe7IGxdjI73Jxge4WFNMiyxlwn:qAx7Gxe5vQcp8hVxE3jge4uml2
Threatray 245 similar samples on MalwareBazaar
TLSH T132D433CCA7C0CCB1EFC4697C9EDA47918A812CC814FB5E7AA360190785F9D371B51ADA
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe N-W0rm


Avatar
abuse_ch
N-W0rm C2:
213.3.43.23:58001

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
07f93a3fafb4bdfc8ee14e75d3a067ed.exe
Verdict:
Malicious activity
Analysis date:
2023-08-01 14:41:15 UTC
Tags:
zgrat backdoor
Link:
https://app.any.run/tasks/cf426103-9d1f-447a-b578-60e901b2fbf2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439627/
Detection(s):
SecuriteInfo.com.Trojan.Mardom.MN.11.24368.29428.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a file
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64c919803d0bb8484a8a44f7/reports/34fb713f-7507-4b80-8fb0-0849434e962a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9ed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b7bdf174-8f39-4a25-aae7-bff98bf14026
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1283817
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Connects to many ports of the same IP (likely port scanning)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Very long command line found
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1283817 Sample: l9Ak6sEIvY.exe Startdate: 01/08/2023 Architecture: WINDOWS Score: 100 106 api.ip.sb 2->106 108 xmr.2miners.com 2->108 110 files.catbox.moe 2->110 118 Snort IDS alert for network traffic 2->118 120 Antivirus detection for URL or domain 2->120 122 Antivirus / Scanner detection for submitted sample 2->122 124 8 other signatures 2->124 13 cmd.exe 1 2->13         started        16 l9Ak6sEIvY.exe 3 2->16         started        19 cmd.exe 1 2->19         started        21 cmd.exe 2->21         started        signatures3 process4 file5 134 Very long command line found 13->134 136 Drops PE files with a suspicious file extension 13->136 23 cmd.exe 13->23         started        26 conhost.exe 13->26         started        90 C:\Users\user\AppData\...\l9Ak6sEIvY.exe.log, CSV 16->90 dropped 138 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->138 140 Writes to foreign memory regions 16->140 142 Modifies the context of a thread in another process (thread injection) 16->142 144 Injects a PE file into a foreign processes 16->144 28 InstallUtil.exe 15 5 16->28         started        32 cmd.exe 1 19->32         started        34 conhost.exe 19->34         started        36 cmd.exe 21->36         started        38 conhost.exe 21->38         started        signatures6 process7 dnsIp8 92 C:\Users\user\AppData\Local\...\rcmro.bat.scr, PE32+ 23->92 dropped 40 rcmro.bat.scr 22 23->40         started        44 conhost.exe 23->44         started        112 213.3.43.23, 39001, 49719, 49721 SWISSCOMSwisscomSwitzerlandLtdCH Switzerland 28->112 114 files.catbox.moe 108.181.20.35, 443, 49720, 49723 ASN852CA Canada 28->114 116 192.168.2.1 unknown unknown 28->116 94 C:\Users\user\AppData\Local\Temp\rcmro.bat, DOS 28->94 dropped 96 C:\Users\user\AppData\Local\...\eouaxwsoj.bat, DOS 28->96 dropped 146 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->146 46 chrome.exe 28->46         started        48 chrome.exe 28->48         started        98 C:\Users\user\AppData\...\eouaxwsoj.bat.scr, PE32+ 32->98 dropped 50 eouaxwsoj.bat.scr 16 32->50         started        52 conhost.exe 32->52         started        100 C:\Users\user\AppData\...\ucjboacd.bat.exe, PE32 36->100 dropped 148 Very long command line found 36->148 54 conhost.exe 36->54         started        56 ucjboacd.bat.exe 36->56         started        file9 signatures10 process11 file12 102 C:\Windows \System32\dxva2.dll, PE32+ 40->102 dropped 104 C:\Windows \System32\dccw.exe, PE32+ 40->104 dropped 128 Drops executables to the windows directory (C:\Windows) and starts them 40->128 58 dccw.exe 40->58         started        61 powershell.exe 40->61         started        63 dccw.exe 40->63         started        130 Adds a directory exclusion to Windows Defender 50->130 65 powershell.exe 50->65         started        67 powershell.exe 50->67         started        signatures13 process14 signatures15 132 Suspicious powershell command line found 58->132 69 powershell.exe 58->69         started        71 conhost.exe 61->71         started        73 conhost.exe 65->73         started        75 conhost.exe 67->75         started        process16 process17 77 cmd.exe 69->77         started        79 conhost.exe 69->79         started        process18 81 cmd.exe 77->81         started        83 conhost.exe 77->83         started        process19 85 rcmro.bat.scr 81->85         started        88 conhost.exe 81->88         started        signatures20 126 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 85->126
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9ed/
Threat name:
ByteCode-MSIL.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2023-07-30 15:41:02 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bivd43vv3eqoadccia47kswrxh3g5ty4p6cuyvcotmxcfuktzhwq._file
Verdict:
malicious
Similar samples:
05c4f71a5caa0ed6809fdfa57b44836f5ee6408d73f6b97cd9a751b696091101
N-W0rm
2dc6a762fbcc017cddee0b0099ffcc61af6336f4444e911997e4af2635c8f183
N-W0rm
4a61cb1c1eedce4c2c9eed252e2c19497761337b40afaabb7585adfc1d273915
N-W0rm
4a8da72abff64bcf80a2500077504588b720180b7694203bdb2434fa075fa7fa
N-W0rm
8dc089fd8fa7592e92ae50e19b2be9778db70fa4ca84af6f8dda27af4851faf5
N-W0rm
bcf3266e8996bcdb7acb686034f264b07c228ce37f1212b663b636cc0317ee1a
N-W0rm
c694357039b48581bd903c728fb830250ce54699cf9a1da57de649ef2a9be897
N-W0rm
e3725f57d26d63fa6e326e5cc622d408ebb6eb9c2d7468eb34c3b79f42c07169
N-W0rm
fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
N-W0rm
+ 235 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230801-r2fd2she7y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9ed
MD5 hash:
07f93a3fafb4bdfc8ee14e75d3a067ed
SHA1 hash:
fe949c7d2a6e7fdbfe80f88b77ac121ff78473e0
Link:
https://www.unpac.me/results/ad9a9303-6577-43a8-aa74-40c25bd37c86/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a2a3e6eb5d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/439627/

Comments