MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52ce2f6b54f59176161c110aa56b42f1400ab17563c698ab27bb8d99aa7d8493. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

N-W0rm

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 5 File information Comments

SHA256 hash:	52ce2f6b54f59176161c110aa56b42f1400ab17563c698ab27bb8d99aa7d8493
SHA3-384 hash:	813f7618b20de84e07810c3a585b6c19c578cd3e74b57241b9a6604ede45aabaa9044919cbd41cc6e66fbb44a4b68c45
SHA1 hash:	064591946b1e73ce0f967a182fe2c3fa55ba5b20
MD5 hash:	602d7a1cb0b972c170d3a295e59c5244
humanhash:	north-juliet-blue-fix
File name:	52ce2f6b54f59176161c110aa56b42f1400ab17563c69.exe
Download:	download sample
Signature	N-W0rm Create hunting rule
File size:	7'633'888 bytes
First seen:	2026-03-06 13:25:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	88016fcdef7f227c62171d0afad9aae4 (5 x OffLoader, 3 x Gh0stRAT, 3 x ValleyRAT)
ssdeep	196608:SyaEJoIio4Jl77IUMAi1X7+5BRQShdjZn:SmKZo4HIfAi0pDj1
TLSH	T16876223FB28F753EE16E1A3A3A72A620653B6A1065134C42D6F4C45CCF6A1711F3E786
TrID	63.8% (.EXE) Inno Setup installer (107240/4/30) 24.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.8% (.EXE) Win64 Executable (generic) (6522/11/2) 2.6% (.EXE) Win32 Executable (generic) (4504/4/1) 1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	eaaadcd6daaa8e96 (1 x N-W0rm)
Reporter	abuse_ch
Tags:	exe N-W0rm

abuse_ch

N-W0rm C2:
5.128.28.134:29932

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
5.128.28.134:29932	https://threatfox.abuse.ch/ioc/1760314/

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/9b4bb189-d9f9-4598-9ca2-5f4ca3b5386b/

Malware family:

n/a

ID:

File name:

52ce2f6b54f59176161c110aa56b42f1400ab17563c69.exe

Verdict:

Malicious activity

Analysis date:

2026-03-06 13:25:51 UTC

Tags:

bittorrent qrcode telegram delphi ssh

Link:

https://app.any.run/tasks/7e10a391-e14f-4557-bae3-3e892b4e789d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/55822/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69aad5ca002d37d5c984b21d

Tags:

shell sage blic

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic packed signed soft-404

Link:

https://www.filescan.io/uploads/69aad5c597feb4afd66fd5f5/reports/523f38f9-7ed9-4d1d-a90c-413b447f9301/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/52ce2f6b54f59176161c110aa56b42f1400ab17563c698ab27bb8d99aa7d8493

Verdict:

Malicious

File Type:

exe x32

Detections:

UDS:DangerousObject.Multi.Generic NetTool.Aria2.HTTP.C&C

Link:

https://opentip.kaspersky.com/52ce2f6b54f59176161c110aa56b42f1400ab17563c698ab27bb8d99aa7d8493/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c46657c8-10e5-497c-95a6-04dd23b9199d

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1879558

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

48%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/52ce2f6b54f59176161c110aa56b42f1400ab17563c698ab27bb8d99aa7d8493

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/52ce2f6b54f59176161c110aa56b42f1400ab17563c698ab27bb8d99aa7d8493/

Verdict:

Malicious

Threat:

Family.N-W0RM

Link:

https://tip.neiki.dev/file/52ce2f6b54f59176161c110aa56b42f1400ab17563c698ab27bb8d99aa7d8493

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=klhc622u6wixmfq4cefkk22c6faavmlvmpdjrkzhxogztkt5qsjq._file

Result

Malware family:

n/a

Score:

6/10

Tags:

adware defense_evasion discovery installer spyware trojan

Link:

https://tria.ge/reports/260306-qn57wahw6w/

Behaviour

Enumerates system info in registry

Kills process with taskkill

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

Checks whether UAC is enabled

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Network Share Discovery

Unpacked files

SH256 hash:

52ce2f6b54f59176161c110aa56b42f1400ab17563c698ab27bb8d99aa7d8493

MD5 hash:

602d7a1cb0b972c170d3a295e59c5244

SHA1 hash:

064591946b1e73ce0f967a182fe2c3fa55ba5b20

Link:

https://www.unpac.me/results/62128c96-fcf3-4c0b-8336-356595304cf1/

SH256 hash:

6b45ce6d8bbc574bdce89008ac707b825ccad2644c734c20f19a5737c6c113ba

MD5 hash:

7dcee8682f30f5a6fc32ec3735a7efc7

SHA1 hash:

71fc06d72a647b717aef74084915da1e57da8a70

Link:

https://www.unpac.me/results/62128c96-fcf3-4c0b-8336-356595304cf1/

SH256 hash:

388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

MD5 hash:

e4211d6d009757c078a9fac7ff4f03d4

SHA1 hash:

019cd56ba687d39d12d4b13991c9a42ea6ba03da

Link:

https://www.unpac.me/results/62128c96-fcf3-4c0b-8336-356595304cf1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/52ce2f6b54f59176161c110aa56b42f1400ab17563c698ab27bb8d99aa7d8493

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/55822/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample