MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

N-W0rm

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 2 File information Comments

SHA256 hash:	5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268
SHA3-384 hash:	940f4f5ac6356cc108896485aa7f4232cb2dd71654f2223f34f849377863eefe26ca1d00a751579dd8bf983f88d9c22a
SHA1 hash:	574a56950ab7f860b9a34238058bdd57958222db
MD5 hash:	48974dd06ef7e2587826fb6d0e4fe7b0
humanhash:	river-diet-connecticut-fourteen
File name:	48974dd06ef7e2587826fb6d0e4fe7b0.exe
Download:	download sample
Signature	N-W0rm Create hunting rule
File size:	360'690 bytes
First seen:	2024-10-18 09:10:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bef40bc1b92b46a02b66ed837f361d00 (1 x N-W0rm)
ssdeep	6144:e8ubWcC2hsfVfLg5+fTFZH/IWCvHRfdh8tkS8R9SqtJCAxAYUSEy9AfC0v:etSIhsRLE+fTFZgnvxfdh8tnDs0wAfSO
TLSH	T1FF74018FE39441F2F9AB04F40D96BB3EC715DECA0A94C64717D4FE527AB7242895B220
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	f0f0e8d6cee8f0e0 (1 x N-W0rm)
Reporter	abuse_ch
Tags:	exe N-W0rm

abuse_ch

N-W0rm C2:
210.61.125.109:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
210.61.125.109:80	https://threatfox.abuse.ch/ioc/1337481/

Intelligence

File Origin

# of uploads :

# of downloads :

382

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

48974dd06ef7e2587826fb6d0e4fe7b0.exe

Verdict:

Suspicious activity

Analysis date:

2024-10-18 09:12:24 UTC

Tags:

api-base64 susp-powershell

Link:

https://app.any.run/tasks/867a168e-6166-496c-bc37-0bb37af6e18e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Dropper.Kovter-7079846-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67122628e706a56b5a02b1b0

Tags:

Shellcode Exploit Kryptik Locky

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint keylogger mingw overlay packed

Link:

https://www.filescan.io/uploads/67122627b8693873ac8398c2/reports/382a7b75-4ddf-40b7-9552-e4bccea9be73/overview

Verdict:

Malicious

Labled as:

Poweliks.Dropper.Generic

Link:

https://www.hybrid-analysis.com/sample/5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268

Result

Verdict:

MALICIOUS

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c0b7c183-9b9a-48da-b731-1deb959e6027

Result

Threat name:

DBatLoader, Kovter, Novter

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1536900

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Creates processes via WMI

Delayed program exit found

Detected unpacking (changes PE section rights)

Found malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sigma detected: Suspicious MSHTA Child Process

Suspicious powershell command line found

Yara detected DBatLoader

Yara detected Kovter

Yara detected Novter bot

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268/

Threat name:

Win32.Dropper.Poweliks

Status:

Malicious

First seen:

2017-01-19 06:41:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

37 of 37 (100.00%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=llgqwar327nbchoek23urffppdrtkxco3ct6q75lsbuood54ejua._file

Verdict:

malicious

Label(s):

kovter

Similar samples:

error

N-W0rm

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader discovery evasion execution persistence trojan

Link:

https://tria.ge/reports/241018-k5la5s1elm/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in System32 directory

Suspicious use of SetThreadContext

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Maps connected drives based on registry

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Looks for VMWare Tools registry key

Checks for common network interception software

Looks for VirtualBox Guest Additions in registry

Looks for VirtualBox drivers on disk

ModiLoader Second Stage

ModiLoader, DBatLoader

Process spawned unexpected child process

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/418ac416-1f57-42a4-b14d-761a3273a2ea

Unpacked files

SH256 hash:

728a526d7b3b7da94e9a488d5c9092173332a2693dceca8fa794b0f0abf9d5f9

MD5 hash:

1989feb171ea23f6caed10693c94b4fb

SHA1 hash:

0cfd6a7bc08a77872d01f618bef199fce81acebc

Detections:

win_kovter_g0

win_kovter_a0

win_kovter_auto

Win32_Ransomware_Kovter

Link:

https://www.unpac.me/results/0ca1cf72-70d7-47d3-9655-a1b174c21ff2/

SH256 hash:

4d5846e07b1c8d189a7af6f6812dec18188ce335e35b571647faeec8ccbb606a

MD5 hash:

fb47db4ff8b8400ae9ead3a1ef58b175

SHA1 hash:

568c9f5326de8b33dcf343de2b45e9856bc5c534

Detections:

win_kovter_g0

win_kovter_a0

win_kovter_auto

Win32_Ransomware_Kovter

Link:

https://www.unpac.me/results/0ca1cf72-70d7-47d3-9655-a1b174c21ff2/

Parent samples :

64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84
21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f
618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824
4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef
b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b
761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772
e93ea2c9e689a35ef77e597a4cf34409f9c02dd74790716eae060304995d6289
5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268

SH256 hash:

4f4523123620c1384fe37c6cfd46b46c8f9eeb4716550227ab849b358b510c50

MD5 hash:

d46f7173d090ebfe2411d1eb87304151

SHA1 hash:

4a5632e9a0bd51c65386e4336c4cd43426037f39

Link:

https://www.unpac.me/results/0ca1cf72-70d7-47d3-9655-a1b174c21ff2/

SH256 hash:

5948ac04f91c3bd5851b3294c867d985ebe6717c9b3bfebdfe63e1e565c83fef

MD5 hash:

163db74b1a86e1e3c72dc9a40428ddc9

SHA1 hash:

d42b9092bcf3756a238bbd10330e32455ef10615

Link:

https://www.unpac.me/results/0ca1cf72-70d7-47d3-9655-a1b174c21ff2/

SH256 hash:

aac50fd8e634db447375b9a70db2942506bfb8043c32f79ed935db58a166b1cc

MD5 hash:

31b2a76c68fcf905cb4802f017ad4754

SHA1 hash:

c100d264b9c656246cdc153d03835d9ae8ab34b4

Detections:

win_kovter_g0

win_kovter_a0

Win32_Ransomware_Kovter

Link:

https://www.unpac.me/results/0ca1cf72-70d7-47d3-9655-a1b174c21ff2/

SH256 hash:

f8d2ad25331b4a62d8d74056cb578be0bfcd4ac24b7fe9453f8654d1cddf3233

MD5 hash:

c5d80a3376f4b7e25c5092b0d3d08852

SHA1 hash:

452cb21cadc70c1081c5823996bd6875fce687a7

Link:

https://www.unpac.me/results/0ca1cf72-70d7-47d3-9655-a1b174c21ff2/

SH256 hash:

5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268

MD5 hash:

48974dd06ef7e2587826fb6d0e4fe7b0

SHA1 hash:

574a56950ab7f860b9a34238058bdd57958222db

Link:

https://www.unpac.me/results/0ca1cf72-70d7-47d3-9655-a1b174c21ff2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5acd0b023bd7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertSecurityDescriptorToStringSecurityDescriptorW ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW ADVAPI32.dll::ConvertStringSidToSidW ADVAPI32.dll::CopySid ADVAPI32.dll::EqualSid
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAccessAllowedAce ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetKernelObjectSecurity ADVAPI32.dll::GetSecurityDescriptorControl
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleA KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::GetFileAttributesW KERNEL32.dll::FindFirstFileW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupAccountNameW ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	mpr.dll::WNetEnumResourceW mpr.dll::WNetOpenEnumW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegOpenKeyW ADVAPI32.dll::RegQueryValueW ADVAPI32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample