MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f57fcea577dd96f1974a14c2156f3f17ab8facf2587b018969072dffdcccee8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f57fcea577dd96f1974a14c2156f3f17ab8facf2587b018969072dffdcccee8
SHA3-384 hash: 6da218b7ab2d7af5141f0ed7bbc5cab4d6251ebedc84223fac5e51878e7cad7312f9747776fb6d0d0224692b6ad8938f
SHA1 hash: 0775aea2722c8c40d14a8ff3a1814f38c31b0e98
MD5 hash: 1c76a4b273d68a5c88c113be47c43d14
humanhash: spring-william-yellow-romeo
File name:1c76a4b273d68a5c88c113be47c43d14.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:369'720 bytes
First seen:2022-07-05 03:10:35 UTC
Last seen:2022-07-05 03:42:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 029cdb9ab9091b14b7d6e2ba57e0f1b0 (1 x N-W0rm)
ssdeep 6144:soBTO4sGJ5wcnzyNM6G5vT4NiuJEPSeCAYMzPtTk:RdLwMZv38HeCnMzPtTk
Threatray 2'082 similar samples on MalwareBazaar
TLSH T18974EF27A566547BC9F58AB034A17E32AB1135CAF7F6F07B6B0826D2D9404F09B317C8
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe N-W0rm


Avatar
abuse_ch
N-W0rm C2:
131.100.143.149:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
131.100.143.149:443 https://threatfox.abuse.ch/ioc/796413/

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Kovter.118.4367.25472.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23817/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit kovter overlay packed zusy
Link:
https://www.filescan.io/uploads/62c3ac03dd037e2703306087/reports/a0a403b4-9f1f-43e2-a397-0bef9445d028/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Kovter
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1cf9e13c-60d6-4c2b-bd00-b46a07c22761
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.phis
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024532
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates processes via WMI
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 657027 Sample: cMdfm1lC5C.exe Startdate: 05/07/2022 Architecture: WINDOWS Score: 100 32 Antivirus detection for URL or domain 2->32 34 Antivirus / Scanner detection for submitted sample 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 2 other signatures 2->38 8 cMdfm1lC5C.exe 3 2->8         started        11 mshta.exe 1 2->11         started        process3 signatures4 48 Detected unpacking (changes PE section rights) 8->48 50 Maps a DLL or memory area into another process 8->50 52 Sample uses process hollowing technique 8->52 56 3 other signatures 8->56 13 regsvr32.exe 8->13         started        54 Suspicious powershell command line found 11->54 16 powershell.exe 18 11->16         started        process5 signatures6 58 Maps a DLL or memory area into another process 13->58 60 Delayed program exit found 13->60 62 Contains functionality to detect sleep reduction / modifications 13->62 18 regsvr32.exe 16 13->18         started        64 Found suspicious powershell code related to unpacking or dynamic code loading 16->64 22 conhost.exe 16->22         started        process7 dnsIp8 26 200.187.236.100, 49816, 80 UniversoOnlineSABR Brazil 18->26 28 85.174.117.121, 49817, 80 ROSTELECOM-ASRU Russian Federation 18->28 30 176.204.119.195, 49815, 80 EMIRATES-INTERNETEmiratesInternetAE United Arab Emirates 18->30 40 System process connects to network (likely due to code injection or exploit) 18->40 42 Creates an undocumented autostart registry key 18->42 44 Creates autostart registry keys with suspicious values (likely registry only malware) 18->44 46 3 other signatures 18->46 24 regsvr32.exe 18->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f57fcea577dd96f1974a14c2156f3f17ab8facf2587b018969072dffdcccee8/
Threat name:
Win32.Trojan.Kovter
Create hunting rule
Status:
Malicious
First seen:
2015-10-21 04:38:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
35 of 44 (79.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5l7z2sxpxmw6gluufgccvxt6f5lr6wpewd3agewsbzn77omz3ua._file
Verdict:
malicious
Similar samples:
055dca003a76ab4d3701f2351d9298949f8f2df0e4aba4a68bc76f90a2e1225b
N-W0rm
08b7f43f4b829414e96e46152b034b365a911a8282437c02ae5bd4084797c958
N-W0rm
2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e
N-W0rm
4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef
N-W0rm
7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
N-W0rm
911860ba2f0c1d6b668bc865e77cdd09ef29682fa0ea39846b0affef39fa9e61
N-W0rm
d2802c979bc2fae533fb089fcf5c6cc0622245e874bee0c3faa23056443310a3
N-W0rm
+ 2'072 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader evasion persistence trojan
Link:
https://tria.ge/reports/220705-dplhmsfdc9/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Adds policy Run key to start application
Looks for VMWare Tools registry key
Checks for common network interception software
Looks for VirtualBox Guest Additions in registry
Looks for VirtualBox drivers on disk
ModiLoader Second Stage
ModiLoader, DBatLoader
Process spawned unexpected child process
Unpacked files
SH256 hash:
2bc73f602f57fdc7844f94a37327df2bfa73eb3482f2216e00e9d989c04bdeb5
MD5 hash:
fc246fde18697c64f58473c031fc362b
SHA1 hash:
acbd862746351912872921327f6d7e0f51906f7f
Detections:
win_kovter_auto
Create hunting rule
win_kovter_a0
Create hunting rule
win_kovter_g0
Create hunting rule
Link:
https://www.unpac.me/results/85f37853-eaf8-4884-b232-b0ccde8d45b4/
Parent samples :
7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e
d585331cf73902613cb67f42a4abbed947272dbbdcaa12586b12a0b421160fdb
0f57fcea577dd96f1974a14c2156f3f17ab8facf2587b018969072dffdcccee8
b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc
SH256 hash:
50980538f2ed4d3b7b2dd4881993f038e29c1f15adc7d32331cecbb4aa4c574a
MD5 hash:
03414b43e516909c4ca8fd964b2ca5f2
SHA1 hash:
f66be3cbee68e7244d38544a5288c8faf5df85eb
Link:
https://www.unpac.me/results/85f37853-eaf8-4884-b232-b0ccde8d45b4/
SH256 hash:
0f57fcea577dd96f1974a14c2156f3f17ab8facf2587b018969072dffdcccee8
MD5 hash:
1c76a4b273d68a5c88c113be47c43d14
SHA1 hash:
0775aea2722c8c40d14a8ff3a1814f38c31b0e98
Link:
https://www.unpac.me/results/85f37853-eaf8-4884-b232-b0ccde8d45b4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f57fcea577d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aPLib_decompression
Create hunting rule
Author:@r3c0nst
Description:Detects aPLib decompression code often used in malware
Reference:https://ibsensoftware.com/files/aPLib-1.1.1.zip
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:win_kovter_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments