MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

N-W0rm

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772
SHA3-384 hash:	b73c40b70aff8655ac14813acb79d1a06d045eee289a404704b7103a21f988db6563c3e09e77fe5f99e65eb289260a1a
SHA1 hash:	131eaded2b2507fa0b1fbf5677705a09496d0f4c
MD5 hash:	a11ae57c068442f751c4a7f4f5f542b0
humanhash:	september-beryllium-lima-uranus
File name:	761F42F03E50EF9B2EB1B1041C81CC6ED24CBC8CE2D6D.exe
Download:	download sample
Signature	N-W0rm Create hunting rule
File size:	342'643 bytes
First seen:	2023-03-27 11:05:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	469a28fd506c4e9127d8283ad9556834 (1 x N-W0rm)
ssdeep	6144:5P8U5dPZDa/iuqO2pi14MlxYSCG1H95dp4kq5bx4fbJr/CYzCIbeY3opBMc:F5VZDaj5xZC2dGkebubJr/CIbbopBp
Threatray	55 similar samples on MalwareBazaar
TLSH	T1077401CAD3D602F1E1DB65F00E7AA63FC712AEDA56A64687D708CA0175F3241CC1B672
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10523/12/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	a02e1733035333ae (1 x N-W0rm)
Reporter	abuse_ch
Tags:	exe N-W0rm

abuse_ch

N-W0rm C2:
207.134.10.189:443

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

761F42F03E50EF9B2EB1B1041C81CC6ED24CBC8CE2D6D.exe

Verdict:

Malicious activity

Analysis date:

2023-03-27 11:07:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/040aa5e4-6121-4e7f-94de-991192e4bcca

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Kovter

Link:

https://www.capesandbox.com/analysis/377877/

Detection(s):

Win.Dropper.Kovter-6985478-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Launching a process

Creating a window

Creating a process with a hidden window

Sending an HTTP GET request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware kovter overlay packed poweliks virus

Link:

https://www.filescan.io/uploads/6421789f8f3f4544f6cc51de/reports/4588ba19-f952-4977-9cf5-349801e70b5b/overview

Verdict:

Malicious

Labled as:

Poweliks.Dropper.Generic

Link:

https://www.hybrid-analysis.com/sample/761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Kovter

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6bc6bc08-06ac-46e6-9cea-b2b0f077bb96

Result

Threat name:

DBatLoader, Kovter

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1202614

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Delayed program exit found

Detected unpacking (changes PE section rights)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Suspicious powershell command line found

Yara detected DBatLoader

Yara detected Kovter

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772/

Threat name:

Win32.Dropper.Powerliks

Status:

Malicious

First seen:

2017-11-23 12:02:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oypuf4b6kdxzwlvrwecbzaomn3jezpem4lln6peh6gjuso2ki5za._file

Verdict:

malicious

N-W0rm

60d6993aa5a8afaec167636b1d2231843134714a95cf4137a0cb765e10fd4284

N-W0rm

62184398a535b5aa0ccd7457470cdb9ab4fc22aaaed11a19cef2ddba8d75eaf5

N-W0rm

b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b

N-W0rm

e0233612d6f430952f891f3ca4d40ae4c825c428691a8bdff7b34f335beda674

N-W0rm

+ 45 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader evasion persistence trojan

Link:

https://tria.ge/reports/230327-m7emgsdb84/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Suspicious use of SetThreadContext

Adds Run key to start application

Maps connected drives based on registry

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Looks for VMWare Tools registry key

Checks for common network interception software

Looks for VirtualBox Guest Additions in registry

Looks for VirtualBox drivers on disk

ModiLoader Second Stage

ModiLoader, DBatLoader

Process spawned unexpected child process

Unpacked files

SH256 hash:

4d5846e07b1c8d189a7af6f6812dec18188ce335e35b571647faeec8ccbb606a

MD5 hash:

fb47db4ff8b8400ae9ead3a1ef58b175

SHA1 hash:

568c9f5326de8b33dcf343de2b45e9856bc5c534

Detections:

win_kovter_auto

win_kovter_g0

win_kovter_a0

Link:

https://www.unpac.me/results/a358ac90-c9ac-4472-901f-cbd8e7bc6f7e/

Parent samples :

64baa604001b64764cb7aae4019abc73929ea59965fba733871e5e17377b1b84
21621ac382cc4b809513ccc6f859f4c12f049e8ac6d9e7edd41cd950278f463f
618de6ea7c34a83092d90198f6ee88f5c317dcb46d9ea320aec8c5b46ce54824
4defd9f70057e085921215b34a0b170a75f04d5365c060c0eb013e8b1948b4ef
b0b1dffc4817f772584318a9554251d1cb45a6f0955bd4819a387466ed1f347b
761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772
e93ea2c9e689a35ef77e597a4cf34409f9c02dd74790716eae060304995d6289
5acd0b023bd7da111dc456b74894af78e3355c4ed8a7e87fab9068e70fbc2268

SH256 hash:

fe15f72b0439d53c855070344ba6ccae476b2869a658044409b86d06e82ac435

MD5 hash:

0ce6bd123bb57f1401c08900f06f76d2

SHA1 hash:

f44fc3d1191f55d0becbf4f822b92bea4f38d3b1

Link:

https://www.unpac.me/results/a358ac90-c9ac-4472-901f-cbd8e7bc6f7e/

SH256 hash:

761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772

MD5 hash:

a11ae57c068442f751c4a7f4f5f542b0

SHA1 hash:

131eaded2b2507fa0b1fbf5677705a09496d0f4c

Link:

https://www.unpac.me/results/a358ac90-c9ac-4472-901f-cbd8e7bc6f7e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/761f42f03e50/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	aPLib_decompression Create hunting rule
Author:	@r3c0nst
Description:	Detects aPLib decompression code often used in malware
Reference:	https://ibsensoftware.com/files/aPLib-1.1.1.zip

Rule name:	Kovter Create hunting rule
Author:	kevoreilly
Description:	Kovter Payload

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Win32_Ransomware_Kovter Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects Kovter ransomware.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/377877/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample