MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e8fcc94c5bc9cfa6045951a2c7c38adf44bb4d1d3e65ab5b975502eeee058b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e8fcc94c5bc9cfa6045951a2c7c38adf44bb4d1d3e65ab5b975502eeee058b1
SHA3-384 hash: 65c5ffcf67ecba1b38f78c36956564c4dc545bca83edeb1c0749806eb3cf183659acb01b77df59f2d470c8ee59773bf6
SHA1 hash: 14c43392659e2a3af1fd430e8600a7bbf89f0c9d
MD5 hash: 0ad49c49340c763a19d72e723d0eacff
humanhash: music-kansas-ack-golf
File name:0ad49c49340c763a19d72e723d0eacff.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:25'717'109 bytes
First seen:2025-11-16 20:05:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 15d53913ba494ccc61512607f46fddf4 (2 x N-W0rm, 2 x ValleyRAT, 1 x PureLogsStealer)
ssdeep 786432:m9B4e9wQAja9jO1bIgxxxB8vM2B+XBeBf:uQ5bK3B+xeBf
TLSH T1DF473320D4D0C1E2C82A22379F119CBC635CBB12CB694F57F7158A8DCB914915BBBA7B
TrID 62.2% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe N-W0rm


Avatar
abuse_ch
N-W0rm C2:
157.20.182.12:58008

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
157.20.182.12:58008 https://threatfox.abuse.ch/ioc/1645132/

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0ad49c49340c763a19d72e723d0eacff.exe
Verdict:
Malicious activity
Analysis date:
2025-11-16 20:06:27 UTC
Tags:
python arch-scr arch-doc pyinstaller auto-startup delphi inno installer purecrypter stealer
Link:
https://app.any.run/tasks/2b3d2457-772f-44d6-891e-829864b5f756

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38392/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691a2e9a434cd67b17c23a37
Tags:
ransomware shellcode extens
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Moving a recently created file
Using obfuscated Powershell scripts
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context expand installer-heuristic lolbin microsoft_visual_cc overlay packed packed pyinstaller python
Link:
https://www.filescan.io/uploads/691a2e95a4cfab8e885cb04f/reports/0685c3bd-b4de-4a84-8194-098a30d9a3a7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5e8fcc94c5bc9cfa6045951a2c7c38adf44bb4d1d3e65ab5b975502eeee058b1
Result
Verdict:
MALICIOUS
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-06-09T04:58:00Z UTC
Last seen:
2025-11-14T04:17:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.PowerShell.DefenderDisabler.gen
Link:
https://opentip.kaspersky.com/5e8fcc94c5bc9cfa6045951a2c7c38adf44bb4d1d3e65ab5b975502eeee058b1/results?tab=lookup
Result
Threat name:
PureLog Stealer, Purecrypter
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1814971
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Drops PE files to the startup folder
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected GenericBackdoor
Yara detected Powershell decode and execute
Yara detected Purecrypter
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1814971 Sample: hV1OKmlsaT.exe Startdate: 16/11/2025 Architecture: WINDOWS Score: 100 150 loglog.ath.cx 2->150 152 vpnl.net 2->152 180 Suricata IDS alerts for network traffic 2->180 182 Malicious sample detected (through community Yara rule) 2->182 184 Antivirus / Scanner detection for submitted sample 2->184 186 22 other signatures 2->186 14 hV1OKmlsaT.exe 17 2->14         started        18 cmd.exe 2->18         started        20 dqbgsrmrf.exe 2->20         started        22 wins64.exe 2->22         started        signatures3 process4 file5 142 C:\Users\user\AppData\...\unicodedata.pyd, PE32 14->142 dropped 144 C:\Users\user\AppData\Local\...\select.pyd, PE32 14->144 dropped 146 C:\Users\user\AppData\Local\...\python311.dll, PE32 14->146 dropped 148 10 other files (none is malicious) 14->148 dropped 214 Found pyInstaller with non standard icon 14->214 24 hV1OKmlsaT.exe 5 14->24         started        216 Suspicious powershell command line found 18->216 218 Wscript starts Powershell (via cmd or directly) 18->218 27 cmd.exe 18->27         started        29 conhost.exe 18->29         started        220 Multi AV Scanner detection for dropped file 20->220 222 Contains functionality to detect sleep reduction / modifications 20->222 signatures6 process7 file8 130 C:\Users\user\AppData\...\original_setup.exe, PE32 24->130 dropped 132 C:\Users\user\AppData\Local\...\script.bat, DOS 24->132 dropped 134 C:\Users\user\AppData\Local\...\combined.png, JPEG 24->134 dropped 31 cmd.exe 1 24->31         started        34 original_setup.exe 2 24->34         started        37 cmd.exe 1 24->37         started        41 2 other processes 24->41 39 cmd.exe 27->39         started        process9 file10 224 Suspicious powershell command line found 31->224 226 Wscript starts Powershell (via cmd or directly) 31->226 43 powershell.exe 12 31->43         started        46 conhost.exe 31->46         started        128 C:\Users\user\AppData\...\original_setup.tmp, PE32 34->128 dropped 48 original_setup.tmp 28 473 34->48         started        228 Uses cmd line tools excessively to alter registry or file data 37->228 51 conhost.exe 37->51         started        53 attrib.exe 1 37->53         started        55 powershell.exe 39->55         started        58 conhost.exe 39->58         started        60 conhost.exe 41->60         started        62 3 other processes 41->62 signatures11 process12 dnsIp13 188 Bypasses PowerShell execution policy 43->188 190 Drops PE files to the startup folder 43->190 192 Found suspicious powershell code related to unpacking or dynamic code loading 43->192 194 Powershell drops PE file 43->194 64 cmd.exe 1 43->64         started        114 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->114 dropped 116 C:\Program Files\...\unins000.exe (copy), PE32 48->116 dropped 118 C:\Program Files\...\unicows.dll (copy), PE32 48->118 dropped 120 44 other files (none is malicious) 48->120 dropped 67 _setup64.tmp 48->67         started        156 loglog.ath.cx 178.16.55.156, 49743, 49812, 7705 DUSNET-ASDE Germany 55->156 196 Tries to steal Mail credentials (via file / registry access) 55->196 198 Tries to harvest and steal browser information (history, passwords, etc) 55->198 200 Writes to foreign memory regions 55->200 202 3 other signatures 55->202 69 chrome.exe 55->69         started        72 chrome.exe 55->72 injected 74 chrome.exe 55->74 injected 76 chrome.exe 55->76 injected file14 signatures15 process16 dnsIp17 168 Suspicious powershell command line found 64->168 170 Wscript starts Powershell (via cmd or directly) 64->170 78 wscript.exe 64->78         started        81 powershell.exe 64->81         started        84 powershell.exe 8 64->84         started        91 2 other processes 64->91 86 conhost.exe 67->86         started        154 192.168.2.4, 138, 443, 49155 unknown unknown 69->154 88 chrome.exe 69->88         started        signatures18 process19 dnsIp20 206 Wscript starts Powershell (via cmd or directly) 78->206 208 Windows Scripting host queries suspicious COM object (likely to drop second stage) 78->208 210 Suspicious execution chain found 78->210 93 powershell.exe 78->93         started        122 C:\Users\Public\user.ps1, Unicode 81->122 dropped 124 C:\Users\Public\init.vbs, ASCII 81->124 dropped 212 Loading BitLocker PowerShell Module 81->212 126 C:\Users\Public\trumpp.zip, Zip 84->126 dropped 162 play.google.com 142.250.64.110, 443, 49774, 49777 GOOGLEUS United States 88->162 164 plus.l.google.com 142.250.64.78, 443, 49771 GOOGLEUS United States 88->164 166 7 other IPs or domains 88->166 file21 signatures22 process23 file24 140 C:\Users\user\AppData\Roaming\...\wins64.exe, PE32 93->140 dropped 96 wins64.exe 93->96         started        99 powershell.exe 93->99         started        101 conhost.exe 93->101         started        process25 signatures26 172 Writes to foreign memory regions 96->172 174 Allocates memory in foreign processes 96->174 176 Injects a PE file into a foreign processes 96->176 103 InstallUtil.exe 96->103         started        107 InstallUtil.exe 96->107         started        178 Loading BitLocker PowerShell Module 99->178 110 conhost.exe 99->110         started        112 WmiPrvSE.exe 99->112         started        process27 dnsIp28 158 94.154.35.227, 49723, 49726, 80 SELECTELRU Ukraine 103->158 160 vpnl.net 157.20.182.12, 49722, 49724, 49725 FCNUniversityPublicCorporationOsakaJP unknown 103->160 136 C:\Users\user\AppData\Local\...\dqbgsrmrf.exe, PE32+ 103->136 dropped 138 C:\Users\user\AppData\Local\Temp\bqjfh.bat, ASCII 103->138 dropped 204 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 107->204 file29 signatures30
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5e8fcc94c5bc9cfa6045951a2c7c38adf44bb4d1d3e65ab5b975502eeee058b1
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/0ad49c49340c763a19d72e723d0eacff
Gathering data
Verdict:
Malicious
Threat:
Trojan.PowerShell.DefenderDisabler
Link:
https://tip.neiki.dev/file/5e8fcc94c5bc9cfa6045951a2c7c38adf44bb4d1d3e65ab5b975502eeee058b1
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-11-13 11:02:04 UTC
File Type:
PE (Exe)
Extracted files:
2327
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2h4zfgfxsopuycfsuncy7byvx2exngr2ptfvnnzovic53xalcyq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution pyinstaller
Link:
https://tria.ge/reports/251116-yt6dtssmcq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/499210fd-267f-4107-8b63-1a4439e2fdae
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e8fcc94c5bc9cfa6045951a2c7c38adf44bb4d1d3e65ab5b975502eeee058b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38392/

Comments