MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62e2a9186c1fab1693c2db86b723cbfd4d51accdd03d6baa324f1e02e78e5913. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

N-W0rm

Vendor detections: 12

Intelligence 12 IOCs 2 YARA File information Comments

SHA256 hash:	62e2a9186c1fab1693c2db86b723cbfd4d51accdd03d6baa324f1e02e78e5913
SHA3-384 hash:	955411afda73e75b7ee85a06da64b0c48517676b73034e362b6c3211085645fd873232baf3f5d505da4e8b97913f9f33
SHA1 hash:	8c5acb562c8aabb51dc7814b1261e3f7af4ab1c6
MD5 hash:	a4a4e25eeb1021b9e19f4ba6922d73ff
humanhash:	zulu-pennsylvania-fruit-fanta
File name:	a4a4e25eeb1021b9e19f4ba6922d73ff.exe
Download:	download sample
Signature	N-W0rm Create hunting rule
File size:	5'990'947 bytes
First seen:	2022-03-10 22:30:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:Jgetc5LSDOk9yCpMB4KNUEuDw44o++Ig3O8ZN2XO0bRZ5sNWJjbt7+CKcUVZ/itk:JPwYxyCOJNUnDflIUO8y3NMNW77tKHWC
Threatray	6'550 similar samples on MalwareBazaar
TLSH	T17C5633834B65D58FFD76DEB0E24469B2B43FD17D0E38581E6784E42F6D861B2AC28702
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe N-W0rm

abuse_ch

N-W0rm C2:
http://91.219.236.212/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://91.219.236.212/	https://threatfox.abuse.ch/ioc/393367/
193.106.191.67:44400	https://threatfox.abuse.ch/ioc/393504/

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/249243/

Detection(s):

Win.Dropper.Pswtool-9857487-0

Win.Packed.Barys-9859531-0

Win.Packed.Jaik-9863991-0

Win.Packed.Tiny-9901377-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Searching for the window

Running batch commands

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe manuscrypt overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/622a7c290cd58dbd927974e1/reports/c917df9c-edb9-42fd-8436-57ae7ee35da1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Socelars

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/909a869e-6376-4128-9fb9-abb65d449e6e

Result

Threat name:

RedLine SmokeLoader Socelars onlyLogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/954564

Signature

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Detected unpacking (changes PE section rights)

Disables Windows Defender (via service or powershell)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Sample uses process hollowing technique

Sigma detected: Suspicious Script Execution From Temp Folder

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected onlyLogger

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Socelars

Yara detected WebBrowserPassView password recovery tool

Yara Genericmalware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/62e2a9186c1fab1693c2db86b723cbfd4d51accdd03d6baa324f1e02e78e5913/

Threat name:

Win32.PUA.PassView

Status:

Malicious

First seen:

2022-03-09 12:37:00 UTC

File Type:

PE (Exe)

Extracted files:

301

AV detection:

31 of 42 (73.81%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mlrksgdmd6vrne6c3odloi6l7vgvdlgn2a6wxkrsj4pafz4olejq._file

Verdict:

malicious

N-W0rm

1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257

N-W0rm

41df967faab672334124024b016e41d86660ade85d71d86a55b8c3c24fb70c99

N-W0rm

42f948f52ddd00b51cb6a12de8a90ed30a40defa8e30ce6246a4f6fcce100f49

N-W0rm

7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813

N-W0rm

c5061cf2961513f91ee1b2c0f50bf8a11928ac068b02ba825b3b0410de507224

N-W0rm

d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a

N-W0rm

+ 6'540 additional samples on MalwareBazaar

Result

Malware family:

socelars

Score:

10/10

Tags:

family:onlylogger family:smokeloader family:socelars aspackv2 backdoor discovery loader spyware stealer trojan upx

Link:

https://tria.ge/reports/220310-2fc2xaccf3/

Behaviour

Checks SCSI registry key(s)

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks installed software on the system

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

OnlyLogger Payload

OnlyLogger

SmokeLoader

Socelars

Socelars Payload

Malware Config

C2 Extraction:

https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
http://pjure.at/upload/
http://puffersweiven.com/upload/
http://algrcabel.ru/upload/
http://pelangiqq99.com/upload/
http://elsaunny.com/upload/
http://korphoto.com/upload/
http://hangxachtaythodoan.com/upload/
http://pkodev.net/upload/
http://go-piratia.ru/upload/
http://piratia.su/upload/

Unpacked files

SH256 hash:

d00d8f312c6c757115fcd9c3f010197cbb98ed451ff879c9c93b25f4b3457815

MD5 hash:

68237153ebe77095442b437998b57388

SHA1 hash:

9a7b0fb5b4d9ea1e40c7f011d63ba0a57b4d3d51

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4

MD5 hash:

0dedd909aae9aa0a89b4422106310e9e

SHA1 hash:

271d36afa5b729ee590cf8066166ca5e9c9d0340

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

e718a2f50e72d94ee2c9455603d98f67e7705aefc283351c182b5e503d59f6d8

MD5 hash:

5264c8567cf762e7cd37971a88b28a45

SHA1 hash:

ffd23a453665086713bbeccf0029c5b026d4c47e

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

55c78f98d6802e6fdb850f7d3c22aef482ca683e3d66f5b36a9a64857af36fa5

MD5 hash:

a552088050c52b999c65f3be1217386a

SHA1 hash:

c78f858657e0e81ed156113f5cc3a616c6d8208c

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

e81ef9e880d0fd5f8cd245609c80be74f001d9e17480529277a30408b1f1d842

MD5 hash:

05994e885eb545722eba5f2016e31d2b

SHA1 hash:

ad7b0377d44c9b6783014ceb37482339ce09bdd2

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

ffa44bbeb098e3190a5d207ecb1914733c7532522c16d9c2ebbbdc1fd19fb634

MD5 hash:

7ab56c40763c2c0d0a1ec00695a35bb0

SHA1 hash:

a79a0fef03ef72b31a074b57491d4b8afe080d37

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

69fa77836b0217cfe10ef3c5bafaefb05e56145b415dc88bd163d35efcac408a

MD5 hash:

31805a8cd198c312435af4585547f36e

SHA1 hash:

a705429e315d84c9b9b5a84d148408129c2e0cc9

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

9ef0a4c0a0f7106d3384adc2379680619a9e534be743c58270f212611837573c

MD5 hash:

69ccecd382f01df450ad6c6c6105d010

SHA1 hash:

98f10f60395bb3724f38bf8794e2ad30e0e1b3b4

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

a0820a0a7fa78ad41eb135a41db4355eed4d2291ce4414161d20f4dd01eb56a3

MD5 hash:

4085bcdabf1ff6b77e8c40d8c1d7c597

SHA1 hash:

5a9e25997147602f27fb502a03479b7097d203e1

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

247ee918d75188bbadec976fbdb5f270d49341ee27dce00f7c1946e51897cd4d

MD5 hash:

b0d72bc9c46df0dbf88e0df775813501

SHA1 hash:

1d02f9a1fb01c19e339e180bb0f69c1a7495a64b

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

8301e8ca662d5507a8b282b82db8cb059b7be1d3f7be59166d1e75aec5fa24c4

MD5 hash:

f40e3ed77a5ff9624a1c8dc136d9b349

SHA1 hash:

5f9924e388f0e825b7397c6c276056d712c9e61a

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa

MD5 hash:

4f93004835598b36011104e6f25dbdba

SHA1 hash:

6cb45092356c54f68d26f959e4a05ce80ef28483

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

e16f68152fa7be7dd8aff55aeff59ddeae48b4b95e3d3ba33016f65e632a6706

MD5 hash:

a8e7034f8220f722f4aca2edcc9c42eb

SHA1 hash:

656d7d88fffd3820deb1741564807990c3851114

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c

MD5 hash:

83b531c1515044f8241cd9627fbfbe86

SHA1 hash:

d2f7096e18531abb963fc9af7ecc543641570ac8

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

7743544b217261f5fb578b788fe84c501320b4aa44f5c1162816b8f1dc1c864f

MD5 hash:

3a427813bcaac7ee86f88e8e01bc955f

SHA1 hash:

606e4b343fbb47bbb5fd9a92e7654ca23cf1695f

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

573b56bce6efdff56eb8d228810b210b02da286b00c3b1d1d4dcffb1084acc4e

MD5 hash:

82b20280e329148c25fae4c7054c5b89

SHA1 hash:

deeaca8e27f4646c00928a1d59714d202cf97f45

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

9703314040557dd7df67c13394b2dbd4302aacc8482f29453205a8f847fdffe7

MD5 hash:

b79aad87075c8290eda975dfe3463361

SHA1 hash:

3890ed85fb602c5e669dddd420930f2096449111

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

8bd855a3bedd17680ebb9a6ffc5b76f7c268e1e0d05274ced8a3616a419f6021

MD5 hash:

53c3c1d2d756c2a47b7ed9d5f9eaa48a

SHA1 hash:

6812317f4226307ec4916e16f2e9841dcdfaf878

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

0c7de2d4f0ab1870eab9bfd69618958600c52541d1bae3f2e6e752ccd5c2aee9

MD5 hash:

173ca6bd8897e829080b44681aea471e

SHA1 hash:

a3b64e06112c21d54124817751eb8e86faa53124

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

83da05e18535d7285286531901ab8fe941061300b8c58a3a78c8c1ffa765e523

MD5 hash:

eb8ea98e30d9bf2bff5201090263a5ea

SHA1 hash:

af0f7369adfcbe3395faaa36c9688275db04c56e

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

aa854df1095119f1dfa6f2a447fbe6414728d9ca799ff693ad4cb44fe6d4af56

MD5 hash:

a189383ec332ef6cfa26302e3f2cb61b

SHA1 hash:

c49e4a80833f7be5b3226dce35a3be59ba4314b1

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

SH256 hash:

62e2a9186c1fab1693c2db86b723cbfd4d51accdd03d6baa324f1e02e78e5913

MD5 hash:

a4a4e25eeb1021b9e19f4ba6922d73ff

SHA1 hash:

8c5acb562c8aabb51dc7814b1261e3f7af4ab1c6

Link:

https://www.unpac.me/results/eb927f15-2fcc-41ef-8a6f-a9a8f486de44/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/62e2a9186c1fab1693c2db86b723cbfd4d51accdd03d6baa324f1e02e78e5913

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249243/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample