MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e799bc7f1651cf27079ad83feeb0d26419f64e58601c85b6f55ffa15ef9ab8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e799bc7f1651cf27079ad83feeb0d26419f64e58601c85b6f55ffa15ef9ab8b
SHA3-384 hash: d4bc819a182546de0b19714044e963af6358ca3713a83c6def8286f9d621d06916291b481f9cdd001a070af43303937c
SHA1 hash: 1d1ece00b70cce2fc782ea6d89b7e0947e828b33
MD5 hash: d8b897481e51cfab29862e8f9d5a039d
humanhash: fruit-bluebird-football-twenty
File name:d8b897481e51cfab29862e8f9d5a039d
Download: download sample
Signature N-W0rm
Create hunting rule
File size:5'613'056 bytes
First seen:2024-02-03 21:04:19 UTC
Last seen:2024-02-03 22:23:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:q731OeL4i0flbNfKXV9g9qXcyoQfAYHxiRRzh6itdFK8:elOeUz1uXg9q3tfDURzhJk
Threatray 2'849 similar samples on MalwareBazaar
TLSH T16B46338122AC8C5EDD2F5B725DEA17930D7E2C53C910133EB436D99026627BD6A33BC6
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe N-W0rm

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5468344f825636f5366841f8cfebb69a0fba96d5d8f5f252732e13cf6887686e.exe
Verdict:
Malicious activity
Analysis date:
2024-02-03 17:21:58 UTC
Tags:
opendir purelogs purecrypter loader stealer
Link:
https://app.any.run/tasks/d62a7cfd-67c2-438e-8526-1c9fc8ec9145

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474424/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.50328.18025.23864.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB explorer installer lolbin packed rundll32 setupapi sfx shell32 tiny
Link:
https://www.filescan.io/uploads/65beaa8219fc3809141e882b/reports/53c913e9-26c1-44bb-afc9-73dc6ec0aba9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0e799bc7f1651cf27079ad83feeb0d26419f64e58601c85b6f55ffa15ef9ab8b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c1c5f328-4fdd-477b-8c72-990ad62f1478
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386188
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Downloads files with wrong headers with respect to MIME Content-Type
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1386188 Sample: 1DH6tNuQSm.exe Startdate: 03/02/2024 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for domain / URL 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 7 other signatures 2->53 7 1DH6tNuQSm.exe 1 4 2->7         started        10 IsFixedSize.exe 14 5 2->10         started        13 cvvchost.exe 14 5 2->13         started        15 3 other processes 2->15 process3 file4 35 C:\Users\user\...\npp.8.6.2.Installer.x64.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\...\cpu-z_2.09-en.exe, PE32+ 7->37 dropped 17 npp.8.6.2.Installer.x64.exe 16 4 7->17         started        63 Multi AV Scanner detection for dropped file 10->63 65 Machine Learning detection for dropped file 10->65 67 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->67 22 IsFixedSize.exe 10->22         started        24 cvvchost.exe 13->24         started        69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->69 26 cvvchost.exe 15->26         started        signatures5 process6 dnsIp7 41 194.4.49.187, 49705, 49713, 49715 FIRSTDC-ASRU Russian Federation 17->41 31 C:\Users\user\AppData\Local\cvvchost.exe, PE32 17->31 dropped 55 Multi AV Scanner detection for dropped file 17->55 57 Machine Learning detection for dropped file 17->57 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->59 61 2 other signatures 17->61 28 npp.8.6.2.Installer.x64.exe 5 17->28         started        43 45.144.29.148, 49719, 80 HQservCommunicationSolutionsIL United Kingdom 22->43 45 212.224.86.54, 49718, 49720, 49721 DE-FIRSTCOLOwwwfirst-colonetDE Germany 22->45 33 C:\Users\user\AppData\Local\...\ggeyrzal.exe, PE32+ 22->33 dropped file8 signatures9 process10 file11 39 C:\Users\user\AppData\...\IsFixedSize.exe, PE32 28->39 dropped
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0e799bc7f1651cf27079ad83feeb0d26419f64e58601c85b6f55ffa15ef9ab8b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e799bc7f1651cf27079ad83feeb0d26419f64e58601c85b6f55ffa15ef9ab8b/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2024-01-29 13:29:00 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bz4zxr7rmuope4dzvwb752ynezaz6zhfqya4qw3pkx72cxxzvofq._file
Verdict:
malicious
Similar samples:
011c45deea7f50338e56529fb8705caa6e86b3920e7f4f79926bcb7933ffa0ba
N-W0rm
0e799bc7f1651cf27079ad83feeb0d26419f64e58601c85b6f55ffa15ef9ab8b
N-W0rm
5468344f825636f5366841f8cfebb69a0fba96d5d8f5f252732e13cf6887686e
N-W0rm
a6c05c63623b019614ab1d5cf533f9599d42fe18773d1d92cb1caccee809d2ae
N-W0rm
ae16c9b0453f3cd9829140adcf38934bc8e2497373e1f3ff486c351ae5b1118e
N-W0rm
eec99e0b7313623ce4bb15305166368bf658ae385f915c1993ca9f24660e196b
N-W0rm
+ 2'839 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat
Link:
https://tria.ge/reports/240203-zw6caaabh7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
cbb47fc9d1921af31aa6446d283a533c7f0b7b690332786d8ead3be245a8d39f
MD5 hash:
2b43471ea8864a15a49f4203aa2a4bc9
SHA1 hash:
7678c2b63b53f53a8d15a546c0effe52059121fb
Link:
https://www.unpac.me/results/6afa4b69-df30-477d-a10d-ee2053b478d8/
SH256 hash:
6f421d2f2b7c505222cb4052f664f622a87d3a8246f1f4b30fa5ca6598cbe098
MD5 hash:
c0fd76fcd10e744a23b8f1993e9560b0
SHA1 hash:
de8f2182928e593e12511cd2f94f0e397f992dc7
Link:
https://www.unpac.me/results/6afa4b69-df30-477d-a10d-ee2053b478d8/
SH256 hash:
0e799bc7f1651cf27079ad83feeb0d26419f64e58601c85b6f55ffa15ef9ab8b
MD5 hash:
d8b897481e51cfab29862e8f9d5a039d
SHA1 hash:
1d1ece00b70cce2fc782ea6d89b7e0947e828b33
Link:
https://www.unpac.me/results/6afa4b69-df30-477d-a10d-ee2053b478d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e799bc7f1651cf27079ad83feeb0d26419f64e58601c85b6f55ffa15ef9ab8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

N-W0rm

Executable exe 0e799bc7f1651cf27079ad83feeb0d26419f64e58601c85b6f55ffa15ef9ab8b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/474424/
  
URLhaus
https://urlhaus.abuse.ch/url/2756193/

Comments


Avatar
zbet commented on 2024-02-03 21:04:20 UTC

url : hxxp://194.4.49.187/fire/npp86Installerx64.exe