MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6ed0abc84a0d8c92ab3f2218dba6b5a378613880aba5933fb67c934b399d30c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6ed0abc84a0d8c92ab3f2218dba6b5a378613880aba5933fb67c934b399d30c
SHA3-384 hash: c20da60cd28d9768de523855b8aa3992f836fc22a59ee709e00c62874ca43f88f5d45245cc5c352b1ce079679832d7a4
SHA1 hash: da80d0db2ca983b73a08bb53ec6f1db5222df25d
MD5 hash: 1cff16414073e9bee180d323736ce07f
humanhash: table-four-virginia-mountain
File name:1cff16414073e9bee180d323736ce07f
Download: download sample
Signature N-W0rm
Create hunting rule
File size:331'264 bytes
First seen:2023-12-25 06:18:53 UTC
Last seen:2023-12-25 09:13:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:WSzceqjdZYcxOjkgQiadEdkv4PGGfTxxNtLr/iNLJss+cKT:7r8dZYqONagkwPGGfLLrK3l+cK
TLSH T18A64394B7969CD22C3885736C1DB841067F299C23777E30B79852B966D033EE990EAC7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe N-W0rm

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
kelihos
Create hunting rule
ID:
1
File name:
New Text Document mod.exe
Verdict:
Malicious activity
Analysis date:
2023-12-26 02:39:02 UTC
Tags:
loader hausbomber opendir metasploit evasion kelihos trojan lumma stealer agenttesla risepro purplefox backdoor amadey botnet vodkagats dupzom servstart ransomware stop lokibot redline remote rat gh0st nanocore vidar systembc proxy arechclient2 gcleaner neoreklami formbook xloader spyware adware gh0stcringe
Link:
https://app.any.run/tasks/81e56de9-c38a-4905-aeae-eb15978a27be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469279/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Changing a file
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin powershell replace rozena
Link:
https://www.filescan.io/uploads/65891ed7b290743934ec984c/reports/058b772b-f8f8-4e09-b767-67199855f8ec/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b6ed0abc84a0d8c92ab3f2218dba6b5a378613880aba5933fb67c934b399d30c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10ee8fba-04c2-44a1-b338-2f4a166aef64
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366832
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1366832 Sample: FDeXY3pub6.exe Startdate: 25/12/2023 Architecture: WINDOWS Score: 100 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 6 other signatures 2->37 7 FDeXY3pub6.exe 16 26 2->7         started        11 FDeXY3pub6.exe 21 2->11         started        13 FDeXY3pub6.exe 2->13         started        process3 dnsIp4 27 45.148.244.112, 49730, 49731, 49732 VMAGE-ASRU Russian Federation 7->27 29 85.209.176.59, 49729, 80 ASDETUKhttpwwwheficedcomGB United Kingdom 7->29 39 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->39 41 Adds a directory exclusion to Windows Defender 7->41 15 powershell.exe 21 7->15         started        17 powershell.exe 11->17         started        19 powershell.exe 13->19         started        signatures5 process6 process7 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b6ed0abc84a0d8c92ab3f2218dba6b5a378613880aba5933fb67c934b399d30c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6ed0abc84a0d8c92ab3f2218dba6b5a378613880aba5933fb67c934b399d30c/
Threat name:
ByteCode-MSIL.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-12-21 21:35:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3wqvpeeudmmskvt6iqy3otlli3yme4ibk5fsm73m7etjm4z2mga._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat
Link:
https://tria.ge/reports/231225-g26wwsdcaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
.NET Reactor proctector
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
b6ed0abc84a0d8c92ab3f2218dba6b5a378613880aba5933fb67c934b399d30c
MD5 hash:
1cff16414073e9bee180d323736ce07f
SHA1 hash:
da80d0db2ca983b73a08bb53ec6f1db5222df25d
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/7e5123d1-3c28-4bd6-b281-99172c23ea06/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b6ed0abc84a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6ed0abc84a0d8c92ab3f2218dba6b5a378613880aba5933fb67c934b399d30c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

N-W0rm

Executable exe b6ed0abc84a0d8c92ab3f2218dba6b5a378613880aba5933fb67c934b399d30c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2744232/
Cape
Cape
https://www.capesandbox.com/analysis/469279/
  
URLhaus
https://urlhaus.abuse.ch/url/2744334/

Comments


Avatar
zbet commented on 2023-12-25 06:18:54 UTC

url : hxxp://85.209.176.59/server/execution/WinScp.exe?fileName=Winscp.exe