MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 617ad3eef0d2656b3fb56a9bf91d2eaabfb50fa61c099c1168b71e930ee7c664. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

N-W0rm

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments 1

SHA256 hash:	617ad3eef0d2656b3fb56a9bf91d2eaabfb50fa61c099c1168b71e930ee7c664
SHA3-384 hash:	1b1f7bba2acd14751132e0be82ea8f30bda7732453e2e54a389b86c83f50c7efc4140b196b22a18f47f5c2bb6284d068
SHA1 hash:	5078f733d390b81ed1641f1483a035f369212326
MD5 hash:	e02a7eb75df2c01c680ee3aa0fa68035
humanhash:	artist-bulldog-eight-bluebird
File name:	e02a7eb75df2c01c680ee3aa0fa68035
Download:	download sample
Signature	N-W0rm Create hunting rule
File size:	1'524'736 bytes
First seen:	2022-08-06 19:52:35 UTC
Last seen:	2022-08-06 21:23:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:qLyI+KsKMeUT41iOuSJ01i8I7XlBQV3fpJuB7L8S264M3O:bKtMeUTDqS/I7X3cvS7oS2H8
Threatray	352 similar samples on MalwareBazaar
TLSH	T169659F166EA78C07C2665F3945E6F32C9178CF803D77C712FA0A799AAA74FCC7944281
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c4e4e4c4cce8e8e8 (1 x N-W0rm, 1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe N-W0rm

Intelligence

File Origin

# of uploads :

# of downloads :

415

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e02a7eb75df2c01c680ee3aa0fa68035

Verdict:

Suspicious activity

Analysis date:

2022-08-06 19:57:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f9d17edc-d8b1-4a41-96ad-d2ed44908970

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296912/

Detection(s):

SecuriteInfo.com.Trojan.Siggen18.30612.15474.13614.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Launching a process

Creating a file

Creating a window

Reading critical registry keys

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62eec6dd9ca9b9bfcbef2735/reports/25646622-a1b2-47f6-b9dc-6bc2203918da/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/18e2f12e-3512-49a8-8075-7db2b226c333

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1047381

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/617ad3eef0d2656b3fb56a9bf91d2eaabfb50fa61c099c1168b71e930ee7c664/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-08-04 07:00:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mf5nh3xq2jswwp5vnkn7shjovk73kd5gdqezyeliw4pjgdxhyzsa._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:free-apps discovery infostealer spyware stealer

Link:

https://tria.ge/reports/220806-ylyn1scgb8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

RedLine

RedLine payload

Malware Config

C2 Extraction:

amrican-sport-live-stream.cc:4581

Unpacked files

SH256 hash:

a6acfe617040a5005be0d1675756dc9f09596d3bb2bb3ebc8a2c6881b8c4cfd7

MD5 hash:

db843358b89f4074346cab346720ab06

SHA1 hash:

94d77a5f2d66f20baf557ad30c3ab284665980d9

Link:

https://www.unpac.me/results/8fa9a41e-51d2-4a33-af58-447142c76696/

SH256 hash:

a6831e18e8a4da777be0d563c732bb297dc00230705600c31c0152d906a2fa45

MD5 hash:

98ee6d3d7de6090101d15573842eafc9

SHA1 hash:

3af545addf6c642f146d68d818e8706e7d207b19

Link:

https://www.unpac.me/results/8fa9a41e-51d2-4a33-af58-447142c76696/

SH256 hash:

617ad3eef0d2656b3fb56a9bf91d2eaabfb50fa61c099c1168b71e930ee7c664

MD5 hash:

e02a7eb75df2c01c680ee3aa0fa68035

SHA1 hash:

5078f733d390b81ed1641f1483a035f369212326

Link:

https://www.unpac.me/results/8fa9a41e-51d2-4a33-af58-447142c76696/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/617ad3eef0d2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/617ad3eef0d2656b3fb56a9bf91d2eaabfb50fa61c099c1168b71e930ee7c664

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

N-W0rm

exe 617ad3eef0d2656b3fb56a9bf91d2eaabfb50fa61c099c1168b71e930ee7c664

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2267648/

Cape

https://www.capesandbox.com/analysis/296912/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-08-06 19:52:39 UTC

url : hxxp://141.98.6.236/FreeApps/ZvfejoxpnFREEAPPS-1.exe