MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52d7f88f2af1afe7ca436c7553bc9f46d0b61d43a49458b1de79e66640a8b957. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52d7f88f2af1afe7ca436c7553bc9f46d0b61d43a49458b1de79e66640a8b957
SHA3-384 hash: 7f67d449349e77f1f4a1a1ebacbb9c08ff0bb082d9bec52bbfb0904c875af7629c1c22e4e184d3df261980d600b7a25f
SHA1 hash: 740982407013acd0a2bdd64b9045064f8dc431d8
MD5 hash: 0de9a559c2124a49b1d7ad3ae038cd3c
humanhash: idaho-oranges-triple-carolina
File name:52D7F88F2AF1AFE7CA436C7553BC9F46D0B61D43A4945.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:1'840'518 bytes
First seen:2022-04-02 15:35:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eeac73be37480fd144f387e3563a0f14 (13 x Gh0stRAT, 2 x N-W0rm, 1 x XRed)
ssdeep 24576:pQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVDE6:pQZAdVyVT9n/Gg0P+WhoU
Threatray 180 similar samples on MalwareBazaar
TLSH T16A85D44E964204ABE9503970845E6B6909606FBD2E73D763FE14F907FA327C3A43347A
File icon (PE):PE icon
dhash icon b2d2d2b2c99ca689 (6 x DarkWatchman, 1 x N-W0rm)
Reporter abuse_ch
Tags:exe N-W0rm


Avatar
abuse_ch
N-W0rm C2:
103.231.166.41:6066

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.231.166.41:6066 https://threatfox.abuse.ch/ioc/486237/

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Farfli-9832713-0
Create hunting rule

Win.Trojan.Generic-9908305-0
Create hunting rule

Win.Dropper.Midie-9942397-0
Create hunting rule

Win.Trojan.Generic-6305873-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Launching a process
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the drivers directory
Loading a system driver
DNS request
Moving a file to the %temp% directory
Modifying an executable file
Running batch commands
Enabling autorun for a service
Infecting executable files
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12404/overview
Behaviour
MalwareBazaar
CursorPosition
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer flystudio greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/62486d639253b276b7cde386/reports/2d17afed-8246-4bd2-be95-b53480c53c4e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Farfli
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07e74fa4-3faf-405d-b197-11a9474e0c2e
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/969428
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: File Created with System Process Name
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 601915 Sample: 52D7F88F2AF1AFE7CA436C7553B... Startdate: 02/04/2022 Architecture: WINDOWS Score: 100 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 9 other signatures 2->67 8 52D7F88F2AF1AFE7CA436C7553BC9F46D0B61D43A4945.exe 19 2->8         started        12 TXPlatforn.exe 2->12         started        14 svchost.exe 2->14         started        16 8 other processes 2->16 process3 file4 49 HD_52D7F88F2AF1AFE...46D0B61D43A4945.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\...\svchost.exe, PE32 8->51 dropped 53 C:\Users\user\AppData\Local\Temp\svchos.exe, PE32 8->53 dropped 55 15 other malicious files 8->55 dropped 75 Drops PE files with benign system names 8->75 77 Drops executable to a common third party application directory 8->77 79 Infects executable files (exe, dll, sys, html) 8->79 18 svchost.exe 1 1 8->18         started        22 svchos.exe 1 8->22         started        24 HD_52D7F88F2AF1AFE7CA436C7553BC9F46D0B61D43A4945.exe 8->24         started        81 Antivirus detection for dropped file 12->81 83 Machine Learning detection for dropped file 12->83 85 Drops executables to the windows directory (C:\Windows) and starts them 12->85 26 TXPlatforn.exe 13 1 12->26         started        87 Changes security center settings (notifications, updates, antivirus, firewall) 14->87 29 MpCmdRun.exe 1 14->29         started        signatures5 process6 dnsIp7 43 C:\Windows\SysWOW64\TXPlatforn.exe, PE32 18->43 dropped 69 Antivirus detection for dropped file 18->69 71 Machine Learning detection for dropped file 18->71 31 cmd.exe 1 18->31         started        45 C:\Windows\SysWOW64\6350875.txt, PE32 22->45 dropped 34 WerFault.exe 20 9 22->34         started        59 hackerinvasion.f3322.net 26->59 47 C:\Windows\System32\drivers\QAssist.sys, PE32+ 26->47 dropped 73 Sample is not signed and drops a device driver 26->73 36 conhost.exe 29->36         started        file8 signatures9 process10 signatures11 89 Uses ping.exe to sleep 31->89 91 Uses ping.exe to check the status of other devices and networks 31->91 38 PING.EXE 1 31->38         started        41 conhost.exe 31->41         started        process12 dnsIp13 57 hackerinvasion.f3322.net 127.0.0.1 unknown unknown 38->57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52d7f88f2af1afe7ca436c7553bc9f46d0b61d43a49458b1de79e66640a8b957/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 05:24:00 UTC
File Type:
PE (Exe)
Extracted files:
125
AV detection:
37 of 42 (88.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kll7rdzk6gx6pssdnr2vhpe7i3ilmhkduskfrmo6phtgmqfixflq._file
Verdict:
malicious
Similar samples:
02965941d39eef787b6d2483095f7c5c6eec84a2a97ce4e85eee9e0e610506e2
N-W0rm
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
N-W0rm
38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84
N-W0rm
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
N-W0rm
795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6
N-W0rm
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
N-W0rm
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
N-W0rm
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
N-W0rm
+ 170 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:purplefox persistence rootkit trojan upx
Link:
https://tria.ge/reports/220402-s1wv3sffc4/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets DLL path for service in the registry
Sets service image path in registry
UPX packed file
Detect PurpleFox Rootkit
PurpleFox
Unpacked files
SH256 hash:
fe04dd20c27d483e0ed1f07f39f2cf8f54f1e1af9ad794c9dfc4773a8fae7f60
MD5 hash:
8b1eda0bf1e445f16b910bc00b57d9b9
SHA1 hash:
5bbc680644c09a94d865c2440242a2eed1243d7f
Link:
https://www.unpac.me/results/3fa4e318-216d-4cde-a964-fc0e9303904e/
Parent samples :
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
SH256 hash:
c50bbd1c7359c6ab5b8028383b479c4b3a59a1faf60cdc7db43b317cd90c65ae
MD5 hash:
db3c6ece7d47803cecdeeed29f9a0c60
SHA1 hash:
c2450af2421717895ab2c81f48a489ea42aa326e
Link:
https://www.unpac.me/results/3fa4e318-216d-4cde-a964-fc0e9303904e/
SH256 hash:
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
MD5 hash:
3b377ad877a942ec9f60ea285f7119a2
SHA1 hash:
60b23987b20d913982f723ab375eef50fafa6c70
Link:
https://www.unpac.me/results/3fa4e318-216d-4cde-a964-fc0e9303904e/
SH256 hash:
52d7f88f2af1afe7ca436c7553bc9f46d0b61d43a49458b1de79e66640a8b957
MD5 hash:
0de9a559c2124a49b1d7ad3ae038cd3c
SHA1 hash:
740982407013acd0a2bdd64b9045064f8dc431d8
Link:
https://www.unpac.me/results/3fa4e318-216d-4cde-a964-fc0e9303904e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52d7f88f2af1afe7ca436c7553bc9f46d0b61d43a49458b1de79e66640a8b957

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments