MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afd0d6d2b9cd517f73b578b5845d729c88876910e359034a3f15dcd93c5e506e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afd0d6d2b9cd517f73b578b5845d729c88876910e359034a3f15dcd93c5e506e
SHA3-384 hash: 60a1b51366c912870e1613f2aa896bff321a369ccb7677fe3896a82881a544ebfe6f49a6b113410eb5617e0d5a8c6346
SHA1 hash: b72763f1e5fde2e19dd1a2f96b825431f254d872
MD5 hash: ccfc0e5dbe36a948d8ffd3ac3e07cb23
humanhash: carolina-eighteen-maryland-kitten
File name:ccfc0e5dbe36a948d8ffd3ac3e07cb23.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:1'913'120 bytes
First seen:2023-11-30 07:40:09 UTC
Last seen:2023-11-30 09:32:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:/gYVj/1somARCS24FDlOapAp4PmHbvS/vXffBsPffgV:vWuN24LRypUrvXhsAV
Threatray 3 similar samples on MalwareBazaar
TLSH T1A495AF8623D6596EF09E1F33C4E11B67A778E8D0F79ED35A104227BA4C337529EC2612
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d292b0b2da36bcbe (11 x AsyncRAT, 7 x Metasploit, 6 x CoinMiner)
Reporter abuse_ch
Tags:exe N-W0rm


Avatar
abuse_ch
N-W0rm C2:
91.92.252.74:58002

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ccfc0e5dbe36a948d8ffd3ac3e07cb23.exe
Verdict:
Malicious activity
Analysis date:
2023-11-30 07:49:27 UTC
Tags:
pureloader loader
Link:
https://app.any.run/tasks/0dc8eba2-e663-4a41-9951-77054bb345fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461355/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.5172.1501.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Forced system process termination
Deleting a recently created file
Creating a process from a recently created file
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/afd0d6d2b9cd517f73b578b5845d729c88876910e359034a3f15dcd93c5e506e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0da1333b-cdb4-4bf7-980a-22e2f1c4c79d
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1350410
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1350410 Sample: e7PBuozLEV.exe Startdate: 30/11/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Antivirus detection for URL or domain 2->70 72 10 other signatures 2->72 8 fharo.exe 2->8         started        11 DependentAssembly.exe 3 2->11         started        13 e7PBuozLEV.exe 3 2->13         started        15 5 other processes 2->15 process3 signatures4 78 Multi AV Scanner detection for dropped file 8->78 80 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->80 82 Suspicious powershell command line found 8->82 92 2 other signatures 8->92 17 fharo.exe 8->17         started        20 fharo.exe 8->20         started        84 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->84 86 Injects a PE file into a foreign processes 11->86 22 DependentAssembly.exe 2 11->22         started        88 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->88 24 e7PBuozLEV.exe 6 13->24         started        90 Potential dropper URLs found in powershell memory 15->90 27 conhost.exe 15->27         started        29 conhost.exe 15->29         started        31 fharo.exe 15->31         started        33 7 other processes 15->33 process5 file6 56 Suspicious powershell command line found 17->56 58 Found many strings related to Crypto-Wallets (likely being stolen) 17->58 60 Tries to harvest and steal Bitcoin Wallet information 17->60 35 powershell.exe 17->35         started        62 Writes to foreign memory regions 22->62 64 Injects a PE file into a foreign processes 22->64 37 InstallUtil.exe 3 22->37         started        40 InstallUtil.exe 22->40         started        48 C:\Users\user\...\DependentAssembly.exe, PE32 24->48 dropped signatures7 process8 signatures9 42 conhost.exe 35->42         started        74 Injects a PE file into a foreign processes 37->74 44 InstallUtil.exe 37->44         started        76 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->76 process10 dnsIp11 52 91.92.252.74, 49709, 49711, 49712 THEZONEBG Bulgaria 44->52 54 94.156.71.74, 49710, 80 TERASYST-ASBG Bulgaria 44->54 50 C:\Users\user\AppData\Local\Temp\fharo.exe, PE32 44->50 dropped file12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/afd0d6d2b9cd517f73b578b5845d729c88876910e359034a3f15dcd93c5e506e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afd0d6d2b9cd517f73b578b5845d729c88876910e359034a3f15dcd93c5e506e/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7innuvzzvix645vpc2yixlstseio2iq4nmqgsr7cxonspc6kbxa._file
Verdict:
malicious
Similar samples:
afd0d6d2b9cd517f73b578b5845d729c88876910e359034a3f15dcd93c5e506e
N-W0rm
ca340328a09ac92cb4560a3ae9b479d314c5aa1eb551e38bf138034cd41abce7
N-W0rm
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat
Link:
https://tria.ge/reports/231130-jh4crshd3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Downloads MZ/PE file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
8f47a410652f4078184dcd8778211c8370573525f661158714caccb53e30c7a9
MD5 hash:
a6ea8c8a70da4805463d00902e8d2ab0
SHA1 hash:
f228d7ca196b0e7f432722329ed18535d6b0dc09
Link:
https://www.unpac.me/results/29fb5ede-a0ba-4c60-8846-54990633d845/
SH256 hash:
8326daabe2e0e228f9e0bdc93287e98fddbbf52a5033c86f888875b0ba31c14a
MD5 hash:
526ddd86cf048186eb5b3eac887ceaa0
SHA1 hash:
dcf61e107178ff1529228439f392f662971ab83e
Link:
https://www.unpac.me/results/29fb5ede-a0ba-4c60-8846-54990633d845/
SH256 hash:
3c90b0de9591e57fd414398fde94b2c92a0995e72ae7cd6da1f90b7e17fc3345
MD5 hash:
f90a56d8b309e9dc896fa2cea4b0f4eb
SHA1 hash:
98661d1da6a2e6fb8e0efeb1e0be9ea94fc2840c
Link:
https://www.unpac.me/results/29fb5ede-a0ba-4c60-8846-54990633d845/
SH256 hash:
033195d9aea72e445fb47b4dac32fedbf5ddddf86bac74e523cd6193593e459c
MD5 hash:
3d831055927ae7a53a57fa0d83cda00e
SHA1 hash:
7bc9151325b0491e2a4bba5f7b188c49b7bee957
Link:
https://www.unpac.me/results/29fb5ede-a0ba-4c60-8846-54990633d845/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/29fb5ede-a0ba-4c60-8846-54990633d845/
SH256 hash:
993ae1cf7b9d503d7b37a8a7bd2f510a144df4095d81a0e7ecc02f0ed8a22110
MD5 hash:
df5a4f9b0979a56c04e876eb2cab818c
SHA1 hash:
e61680604ad8b0cade541b42b8d1e718cbfc3e1a
Link:
https://www.unpac.me/results/29fb5ede-a0ba-4c60-8846-54990633d845/
SH256 hash:
0faa08e8743b10669c3aa19af6e22f504603bc3cee629eb78180bba66b2f9641
MD5 hash:
75a2447faa1bc6175531fa944e7599ee
SHA1 hash:
8480144cb93b2c8c3016a61e90219388b89db7a4
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/29fb5ede-a0ba-4c60-8846-54990633d845/
SH256 hash:
cb091105fe49bfda2bf279a68a324c3b748e2d689ec4cfba98b70b63890b2b0d
MD5 hash:
b1ff6b1d35329aa80157f7143d2177f9
SHA1 hash:
484092651baae08cf3d0c4d43c83ca200ebd5294
Link:
https://www.unpac.me/results/29fb5ede-a0ba-4c60-8846-54990633d845/
SH256 hash:
9770253552a3809706e86e03e80be08ea3971b1a73f74d912f46b77ff00cc2b3
MD5 hash:
d35011fe5e2ba1db15c21d38491e03da
SHA1 hash:
1d38556f3975a97f82bb7616917b7a1e25be4066
Link:
https://www.unpac.me/results/29fb5ede-a0ba-4c60-8846-54990633d845/
SH256 hash:
afd0d6d2b9cd517f73b578b5845d729c88876910e359034a3f15dcd93c5e506e
MD5 hash:
ccfc0e5dbe36a948d8ffd3ac3e07cb23
SHA1 hash:
b72763f1e5fde2e19dd1a2f96b825431f254d872
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/29fb5ede-a0ba-4c60-8846-54990633d845/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/afd0d6d2b9cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afd0d6d2b9cd517f73b578b5845d729c88876910e359034a3f15dcd93c5e506e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

N-W0rm

Executable exe afd0d6d2b9cd517f73b578b5845d729c88876910e359034a3f15dcd93c5e506e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2736238/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/461355/

Comments