MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
SHA3-384 hash: 8bbd1d5af9faa5218e10e0ea3643242091fd974dad47783129f7679f8ffc7b21fb3dd37827200e7eeac1e7529d46e069
SHA1 hash: dd4e240e671307ceb1352629e874dee7a870a122
MD5 hash: 662efe80470a942e5405f393f251387c
humanhash: violet-gee-six-bluebird
File name:662efe80470a942e5405f393f251387c.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:415'232 bytes
First seen:2023-03-06 11:36:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8def334fa22d316960da4bc7fc2e9343 (2 x Stop, 1 x Smoke Loader, 1 x Gozi)
ssdeep 6144:fkRPLo4zgQnxfWh0IZCS+kXL+llRivL4po1oqrXVk:8s4zBxfK0IZVFL+ll0vL4KrX
Threatray 9 similar samples on MalwareBazaar
TLSH T10E94F1213AD0C472C09712744865CB652B7EB5319B7586CB7B942FFE5F303E0A63A39A
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 10ccccb096945912 (1 x N-W0rm)
Reporter abuse_ch
Tags:exe N-W0rm

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
662efe80470a942e5405f393f251387c.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 11:40:56 UTC
Tags:
redline
Link:
https://app.any.run/tasks/45df6157-6d80-407c-b39f-d1218227cb04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371944/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6405d05f93921fa04236c57d/reports/0c93b830-976d-4fec-a0ea-01d13fe7f7fa/overview
Verdict:
Malicious
Labled as:
Ransom.84989A88
Link:
https://www.hybrid-analysis.com/sample/46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17a4cfee-eec5-40a8-a43c-d173de1d996d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188170
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 11:42:04 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3cavpdmsugs6wqvipde37pczibascrb4l6kuxcep6rokbb2oavq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
086fd8fce9dbe726874324817d9c43368ff6762451b59c7df59f48438242d226
N-W0rm
0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
N-W0rm
355c0d46a3f2f7dde8639253608c1f980261f741361d5366e6263a057552158a
N-W0rm
6132d0339518ab0af94fc797e90115469192e653b8e181b56411a1bc467efba3
N-W0rm
70bbe3233b22e964ef757d5e58148674c2d700ee272874d288fa86274ec21756
N-W0rm
9e9ff5827f90993bf7e9a8bd7f1b9f064180bff8211ca87d8e1d5886c11d5508
N-W0rm
a0de742e67b02eff50102c27c6c65bb0725f80f427e884675777b0dd5db69345
N-W0rm
a7244954aa33a3d0bbdc5bf098d546135f1b90545ad649f83eb0fe96b741c296
N-W0rm
c6a2d88ca5315aa555335addc8e834dcb1da654fa467e7d17decfa97df9594aa
N-W0rm
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230306-nqlj5sbd8v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
fe20253e6bcafed3a581e5269b6864d1fdf838983b0b4427bd9e4696ba3d1ffe
MD5 hash:
9297cc2bad28fe469640b35f8f9358a1
SHA1 hash:
b62081ed7e83a8721d5bf5df0d5ea9fdec2822e2
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6503e52e-87a8-43b9-afab-91a4171ccde8/
Parent samples :
b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2
70bbe3233b22e964ef757d5e58148674c2d700ee272874d288fa86274ec21756
355c0d46a3f2f7dde8639253608c1f980261f741361d5366e6263a057552158a
46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6
c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666
SH256 hash:
db2c4acdeb934ae96e51b46b88f24dad4e43f69a90de44b8554e30b909ef29ca
MD5 hash:
9dc3abbfdcd1bb7cafb14a35b60d6713
SHA1 hash:
6aacaf8c94121006562f4a013283741340e99693
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/6503e52e-87a8-43b9-afab-91a4171ccde8/
Parent samples :
b440cc701ffb2c9027fee1ce97ab8f3e5c3db19449348e53833b74d1a0fd17d2
6132d0339518ab0af94fc797e90115469192e653b8e181b56411a1bc467efba3
0bc3bf3d578af6f367f2ba1e2684c686ab2339fbcaa3edd38e83789a692df1e2
70bbe3233b22e964ef757d5e58148674c2d700ee272874d288fa86274ec21756
355c0d46a3f2f7dde8639253608c1f980261f741361d5366e6263a057552158a
319f678b8bf7350d8a85d7a6185909f75ded81a976062ca8ef823177e90a649b
46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
11035a6f9b2c940068b5b3a1af6ad00d30049086d7880c1b43b5a7079dfd699a
6122bf939accef04d0acffcf417e6f72ecf0dc713fbc0578940eaf4e04cb5bf6
32e595d4c93e4e0ca55de6756cf23ea090ea45c86d958857f44109376b02e3b0
c4a84f2d399775dfc0620a96cdf135ca5dd259b6691b052b49c3117d135e2666
SH256 hash:
f4262b5eb59db26a6eb9534d7d8e57955ef5ef3079a439570cb32c9754baf696
MD5 hash:
bcc57bbabee21070c3b1c1c0d6549c1d
SHA1 hash:
374f18b741a610c8d532d793c52e2aae22fc7856
Link:
https://www.unpac.me/results/6503e52e-87a8-43b9-afab-91a4171ccde8/
SH256 hash:
46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b
MD5 hash:
662efe80470a942e5405f393f251387c
SHA1 hash:
dd4e240e671307ceb1352629e874dee7a870a122
Link:
https://www.unpac.me/results/6503e52e-87a8-43b9-afab-91a4171ccde8/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/46c40abc6c95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

N-W0rm

Executable exe 46c40abc6c950d2f5a1543c64dfde2ca02090a21e2fcaa5c447fa2e5043a702b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2556788/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/371944/

Comments