MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 17


Intelligence 17 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
SHA3-384 hash: 269fea835d3c1dadb7b2f80225dff33a45f26f5ebd6d984828541cd010a8f073eb69f44aa19404ed125fce9d509e364e
SHA1 hash: 8c13c02fcbb52cf0476aa8ed046f75d0371883dc
MD5 hash: d3ec7e37c4d7c6d7adab1ccaa50ce27c
humanhash: robin-quiet-early-steak
File name:d3ec7e37c4d7c6d7adab1ccaa50ce27c.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:1'788'928 bytes
First seen:2023-09-01 20:21:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:0madtNLos53sku8gFkdBb8hAv4kvxxEjzB8NNS4ToNr7LtccIikW:PWPnbuDkAhARAp8NNPSr7Rccp
Threatray 169 similar samples on MalwareBazaar
TLSH T13C85DF0176B9CF96D388127056DB866C9790EEB2B263770F1F1CB259F9B23724A013D9
TrID 37.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
21.8% (.EXE) InstallShield setup (43053/19/16)
15.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
6.6% (.SCR) Windows screen saver (13097/50/3)
5.3% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon f0f0a0989898c484 (1 x N-W0rm)
Reporter abuse_ch
Tags:exe N-W0rm

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
98628dba1be12d83b13f1b2bd25d85b6
Verdict:
Malicious activity
Analysis date:
2023-09-01 15:46:43 UTC
Tags:
amadey botnet trojan loader fabookie stealer redline kelihos laplasclipper lgoogloader opendir smoke
Link:
https://app.any.run/tasks/7596a747-e667-4d44-afb8-d4a72c2ef0a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445694/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.33282.13953.26769.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/64f247ef560864d1b67394f6/reports/6e6d4ae0-6ef7-40c9-ac0d-99b5ee2eb7c6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec763920-e398-4bbb-a233-5ab73c574281
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1301927
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-09-01 14:40:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
58
AV detection:
18 of 36 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ohfr5i6y4je47a6gybyxviusbfge7p5jt7wi5xubnit5uuy5k7nq._file
Verdict:
malicious
Similar samples:
1695eccf307c90c8999bb6899768b316f344db4f88e5e90ac92b5e55fd903042
N-W0rm
19427b9f9fffb7a1518d34f453ea37aefc298b157c8f15a4f1ddd8ca0df00eda
N-W0rm
21c16c4ece7acb14119e33f2bdd5ee40197fc43d0e93d9841c9a6c281a739cb5
N-W0rm
39cc90115bf3ff86da4a7284b54d8f9f59cb8359dd4fa48f7188a1d604bc185b
N-W0rm
585c6f4a346365aeaf83f0f72be43074b98a360e4458c8b1e81f55ce55d1067c
N-W0rm
82ecd2b864229b43116466944478c474ac7ff2e8a0dd4f24df59d325953c2b30
N-W0rm
a42fc25e5c4b617629fe6867cb6625b17f18625b6a2102343dd51219bcd99760
N-W0rm
bd0b7ee993da6e96723b57cef78778f681b3682e00aa44c8916c91fbf7b9d058
N-W0rm
fe0d21117697c040a60ed2e1fdfd838ec09330e85a9d8505a820afad480318be
N-W0rm
+ 159 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:010923 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230901-y5kaqshh43/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
Malware Config
C2 Extraction:
happy1sept.tuktuk.ug:11290
Unpacked files
SH256 hash:
ed71f26dd46c2b3f0e5c474ee531228b3063048bba0cf2638761fcf8a1e4da7b
MD5 hash:
4e03546192b69793b9a9883b0f8d58c7
SHA1 hash:
d5b91b49c718b8032d6f17638090cd0e247a2508
Link:
https://www.unpac.me/results/aa082de9-2a57-4e3b-acbf-3d25f1ea7154/
SH256 hash:
e15e3d65be19b49d9ec3a42ef694ff74495f2c13ccecb1c5fd720fb4c960f4c6
MD5 hash:
f87a1e80bcbd5fcb7eeeeed2c91ab794
SHA1 hash:
39917e75b9bd04b0638bab1f42cca885a7ad154a
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/aa082de9-2a57-4e3b-acbf-3d25f1ea7154/
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
Link:
https://www.unpac.me/results/aa082de9-2a57-4e3b-acbf-3d25f1ea7154/
SH256 hash:
f6b55bd449ba6b6a7fd44d186f8ea55049266bb3111ac88575158c00d1c13b44
MD5 hash:
bd3cc3dc74845830a3c84cd52f51e312
SHA1 hash:
0d35a73b3156f521afa081ffb7f92337efac61cc
Link:
https://www.unpac.me/results/aa082de9-2a57-4e3b-acbf-3d25f1ea7154/
SH256 hash:
71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db
MD5 hash:
d3ec7e37c4d7c6d7adab1ccaa50ce27c
SHA1 hash:
8c13c02fcbb52cf0476aa8ed046f75d0371883dc
Link:
https://www.unpac.me/results/aa082de9-2a57-4e3b-acbf-3d25f1ea7154/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/71cb1ea3d8e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

N-W0rm

Executable exe 71cb1ea3d8e249cf83c6c0717aa292094c4fbfa99fec8ede816a27da531d57db

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2708485/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/445694/

Comments