MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67012c9555804fbfe82f17ee6d7d09196ed356053e2e778f49a998a4b718d6a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

N-W0rm

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 5 File information Comments

SHA256 hash:	67012c9555804fbfe82f17ee6d7d09196ed356053e2e778f49a998a4b718d6a6
SHA3-384 hash:	dfef8f339878b56aa0b05f5b732c11e266622ae1827fa5891247ab05e17b798e15e52ee3071201e4d45a84b59ed1686d
SHA1 hash:	40402292ae6494feddea424f0c6e790f6213135d
MD5 hash:	650386014950c28af230457e4686bfe4
humanhash:	wyoming-emma-apart-alaska
File name:	650386014950c28af230457e4686bfe4.exe
Download:	download sample
Signature	N-W0rm Create hunting rule
File size:	358'026 bytes
First seen:	2022-08-27 16:10:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4ea4df5d94204fc550be1874e1b77ea7 (241 x GuLoader, 29 x RemcosRAT, 17 x VIPKeylogger)
ssdeep	6144:OB+pgUztdbOfgLqI5wT5QvPo1fD6WV7w/zMOCpVphfPGd2s1au42w2LNg:Og7ttDB5w1mOAKVOEs1auLw2LNg
Threatray	2'221 similar samples on MalwareBazaar
TLSH	T17974122037C5C937C42456715C7686FB2FA26ABE4531DE1B3700BB1E7AB2658CE0A7E1
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter	abuse_ch
Tags:	exe N-W0rm

abuse_ch

N-W0rm C2:
143.248.147.181:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
143.248.147.181:80	https://threatfox.abuse.ch/ioc/845733/

Intelligence

File Origin

# of uploads :

# of downloads :

342

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

650386014950c28af230457e4686bfe4.exe

Verdict:

Malicious activity

Analysis date:

2022-08-27 16:13:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/59041b13-59a8-4849-8705-30cce59dab74

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/301646/

Detection(s):

Win.Trojan.Locky-32294

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Launching a process

Creating a window

Creating a process with a hidden window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/30347/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cerber kovter locky overlay packed poweliks shell32.dll

Link:

https://www.filescan.io/uploads/630a42943cbb13868a8b2980/reports/84bc7065-6e29-4f6c-9d4a-ac5b0e58b394/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Kovter

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b254a0a2-0dbc-4c1c-961d-633ad6916578

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1058968

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to detect sleep reduction / modifications

Creates processes via WMI

Delayed program exit found

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Suspicious powershell command line found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/67012c9555804fbfe82f17ee6d7d09196ed356053e2e778f49a998a4b718d6a6/

Threat name:

Win32.Ransomware.NSISRansom

Status:

Malicious

First seen:

2016-10-28 04:39:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m4aszfkvqbh372bpc7xg27ijdfxngvqfhyxhpd2jvgmkjnyy22ta._file

Verdict:

malicious

N-W0rm

25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5

N-W0rm

29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03

N-W0rm

911860ba2f0c1d6b668bc865e77cdd09ef29682fa0ea39846b0affef39fa9e61

N-W0rm

a6c03e7b69ffe6152468171e8669db1915efc0f225449dd2278f0c7e40e15ee2

N-W0rm

cbd2e4d355d89e4ee867270ff57a6602d33cfed8eaab417e63ee0ba25d788abc

N-W0rm

eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1

N-W0rm

+ 2'211 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader evasion persistence trojan

Link:

https://tria.ge/reports/220827-tmxqwsdaej/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Suspicious use of SetThreadContext

Adds Run key to start application

Maps connected drives based on registry

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Drops startup file

Loads dropped DLL

Looks for VMWare Tools registry key

Checks for common network interception software

Looks for VirtualBox Guest Additions in registry

Looks for VirtualBox drivers on disk

ModiLoader Second Stage

ModiLoader, DBatLoader

Process spawned unexpected child process

Unpacked files

SH256 hash:

e91b5c8ad2f4b949a44e773b2b3970fa312aafc29e6cb12ab9c08af15e51ca25

MD5 hash:

57d89cd0d52303ea58132c87e23fe5cd

SHA1 hash:

0a45d566b47e0131a4a6afd8a54d3a36c8faff31

Detections:

win_kovter_a0

win_kovter_g0

Link:

https://www.unpac.me/results/3177027c-4ba9-45cf-a030-5f2229ec4548/

SH256 hash:

9d4dcb111b52289f3b005a6ae02de2b2ef66bbe0b761d009a59bf470e95ed7ae

MD5 hash:

7583254ceddf4c35b2ba3acaabecce8b

SHA1 hash:

edaca4bdf6a3793e2390d56d73b3ddf53672e2ee

Link:

https://www.unpac.me/results/3177027c-4ba9-45cf-a030-5f2229ec4548/

SH256 hash:

067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

MD5 hash:

0d45588070cf728359055f776af16ec4

SHA1 hash:

c4375ceb2883dee74632e81addbfa4e8b0c6d84a

Link:

https://www.unpac.me/results/3177027c-4ba9-45cf-a030-5f2229ec4548/

SH256 hash:

9037bb024459626a4418e0026ab686afc874374f1871b26bc01189e7d79008f0

MD5 hash:

56a0dd9682a3d47b18f67f2288f333a3

SHA1 hash:

6c1c911e76f8732a4571f75a35a84ece6d58b937

Link:

https://www.unpac.me/results/3177027c-4ba9-45cf-a030-5f2229ec4548/

SH256 hash:

2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

MD5 hash:

a4dd044bcd94e9b3370ccf095b31f896

SHA1 hash:

17c78201323ab2095bc53184aa8267c9187d5173

Link:

https://www.unpac.me/results/3177027c-4ba9-45cf-a030-5f2229ec4548/

SH256 hash:

67012c9555804fbfe82f17ee6d7d09196ed356053e2e778f49a998a4b718d6a6

MD5 hash:

650386014950c28af230457e4686bfe4

SHA1 hash:

40402292ae6494feddea424f0c6e790f6213135d

Link:

https://www.unpac.me/results/3177027c-4ba9-45cf-a030-5f2229ec4548/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/67012c9555804fbfe82f17ee6d7d09196ed356053e2e778f49a998a4b718d6a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	aPLib_decompression Create hunting rule
Author:	@r3c0nst
Description:	Detects aPLib decompression code often used in malware
Reference:	https://ibsensoftware.com/files/aPLib-1.1.1.zip

Rule name:	Kovter Create hunting rule
Author:	kevoreilly
Description:	Kovter Payload

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	win_kovter_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/301646/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample