MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ea413a774d50a0780285ae1fb0d85020be08e16cf2dedd167bbf6f966532d5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ea413a774d50a0780285ae1fb0d85020be08e16cf2dedd167bbf6f966532d5c
SHA3-384 hash: 93c86b522a9f396c65ccf14fa6c6199f5d1b635704ebcc9d754ab08834b10170c24e4c335f1bbdf20017941efb9cf6be
SHA1 hash: 7240ae4f179acfc3c51401ef0f02b3ce6ccede4d
MD5 hash: 9302c460e2dee92114d1f276f413efd5
humanhash: ohio-illinois-pasta-nebraska
File name:9302C460E2DEE92114D1F276F413EFD5.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:788'992 bytes
First seen:2023-08-13 13:40:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ooUkaRP5Z9eCIOtzsO2Z2MSqIF+3zxjSVdc3nVWrFLiTj6B6K:6VRPzIazK8Ma+jxj6diVWrFLiT86
Threatray 2'530 similar samples on MalwareBazaar
TLSH T10EF4E1F288502351F1F37EB1430F368557B5866E89C9B7AF2E5A16B53077E02C121EE6
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 12b26968ccd87869 (1 x N-W0rm)
Reporter abuse_ch
Tags:exe N-W0rm


Avatar
abuse_ch
N-W0rm C2:
194.169.175.43:58004

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9302C460E2DEE92114D1F276F413EFD5.exe
Verdict:
Malicious activity
Analysis date:
2023-08-13 13:41:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6c7693d0-4b37-4557-898d-2c3d7e307cc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442514/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.60132.25311.14323.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/64d8dd70a5c3e653be189aff/reports/838e445d-11ca-4bda-900e-831cb05e9571/overview
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/1ea413a774d50a0780285ae1fb0d85020be08e16cf2dedd167bbf6f966532d5c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/05ea4ea9-1e99-457c-ac6a-7e2b25015087
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1290676
Signature
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Uses cmd line tools excessively to alter registry or file data
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1290676 Sample: NdKP12ZmmL.exe Startdate: 13/08/2023 Architecture: WINDOWS Score: 92 63 amm.mine.nu 2->63 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected AntiVM3 2->77 79 Yara detected Costura Assembly Loader 2->79 8 NdKP12ZmmL.exe 2 2->8         started        11 NdKP12ZmmL.pif 2 2->11         started        13 NdKP12ZmmL.pif.pif 2->13         started        15 4 other processes 2->15 signatures3 process4 signatures5 81 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->81 83 Injects a PE file into a foreign processes 8->83 17 cmd.exe 1 8->17         started        28 2 other processes 8->28 85 Multi AV Scanner detection for dropped file 11->85 20 cmd.exe 11->20         started        32 2 other processes 11->32 22 cmd.exe 13->22         started        34 2 other processes 13->34 24 cmd.exe 15->24         started        26 cmd.exe 15->26         started        36 5 other processes 15->36 process6 dnsIp7 69 Drops PE files to the document folder of the user 17->69 71 Uses cmd line tools excessively to alter registry or file data 17->71 73 Drops PE files with a suspicious file extension 17->73 44 2 other processes 17->44 47 2 other processes 20->47 49 2 other processes 22->49 51 2 other processes 24->51 53 2 other processes 26->53 65 amm.mine.nu 194.169.175.43, 49713, 49714, 49715 CLOUDCOMPUTINGDE Germany 28->65 67 192.168.2.1 unknown unknown 28->67 57 C:\Users\user\Documents57dKP12ZmmL.pif, PE32 28->57 dropped 38 conhost.exe 28->38         started        59 C:\Users\user\Documents59dKP12ZmmL.pif.pif, PE32 32->59 dropped 40 conhost.exe 32->40         started        61 C:\Users\user\...61dKP12ZmmL.pif.pif.pif, PE32 34->61 dropped 42 conhost.exe 34->42         started        55 2 other processes 36->55 file8 signatures9 process10 signatures11 87 Creates multiple autostart registry keys 49->87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ea413a774d50a0780285ae1fb0d85020be08e16cf2dedd167bbf6f966532d5c/
Threat name:
ByteCode-MSIL.Trojan.W0Rm
Create hunting rule
Status:
Malicious
First seen:
2023-08-09 18:09:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2sbhj3u2ufapabillq7wdmfaif6bdqwz4w63ulhxp3pszstfvoa._file
Verdict:
malicious
Similar samples:
0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9ed
N-W0rm
4a61cb1c1eedce4c2c9eed252e2c19497761337b40afaabb7585adfc1d273915
N-W0rm
59a5e46b3173bc33c36e91ea80c13771e4f760011e59d360f84070b72ebb28d0
N-W0rm
5e80077607f2345cc1c874a9e49b54bf923bb2d52a58bcf7ac3ca22fc8539f4b
N-W0rm
7f51dd699f733b774dcb7c6d3da1ac6d87a3bd7e7e6083eb9987b45fe0df72bf
N-W0rm
8dc089fd8fa7592e92ae50e19b2be9778db70fa4ca84af6f8dda27af4851faf5
N-W0rm
c694357039b48581bd903c728fb830250ce54699cf9a1da57de649ef2a9be897
N-W0rm
e3725f57d26d63fa6e326e5cc622d408ebb6eb9c2d7468eb34c3b79f42c07169
N-W0rm
fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
N-W0rm
+ 2'520 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/230813-qy4f2acg43/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
8d91c69293c64c0d5b4efe15252a475bb256b097c7f9f82e725c05b23533208d
MD5 hash:
6ccde86c1c4a13d97a4a7faf015d197e
SHA1 hash:
ee1098f98c793e96ec31e21172543195854e8ba3
Link:
https://www.unpac.me/results/9289c98d-4927-4864-be33-0512eac6233a/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/9289c98d-4927-4864-be33-0512eac6233a/
SH256 hash:
a36631f45f9add6087fd63ad022a8300052b6d89d9aa7e15a7200d463f5706fb
MD5 hash:
dba243cf8ecf1116acacec127f09c0c4
SHA1 hash:
2bba73214e9f12fcc761b6e6a21fb14973bb55b5
Link:
https://www.unpac.me/results/9289c98d-4927-4864-be33-0512eac6233a/
SH256 hash:
7b8ca923cc2c90130e18265ab24d961376512077b1de9941c67f153955fd6f61
MD5 hash:
fb9db403e3ca8cc8fe5939386c090528
SHA1 hash:
bbaf10959b9a0fc23490f8e870434adcc938c339
Link:
https://www.unpac.me/results/9289c98d-4927-4864-be33-0512eac6233a/
SH256 hash:
ae170acd507112dc6269f098049a446e20afad6905fe644a0c6db5b1867d7905
MD5 hash:
f5ebdf752abe709cacea55ad8a6d10c7
SHA1 hash:
935aeb0da7daeac28e72ee5454a6ef83c6502d69
Link:
https://www.unpac.me/results/9289c98d-4927-4864-be33-0512eac6233a/
SH256 hash:
1ea413a774d50a0780285ae1fb0d85020be08e16cf2dedd167bbf6f966532d5c
MD5 hash:
9302c460e2dee92114d1f276f413efd5
SHA1 hash:
7240ae4f179acfc3c51401ef0f02b3ce6ccede4d
Link:
https://www.unpac.me/results/9289c98d-4927-4864-be33-0512eac6233a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ea413a774d50a0780285ae1fb0d85020be08e16cf2dedd167bbf6f966532d5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/442514/

Comments