MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba4d461d394b8345604518df33c0d7b09c2278c9fdf2dd747c28047d0c35cfe8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba4d461d394b8345604518df33c0d7b09c2278c9fdf2dd747c28047d0c35cfe8
SHA3-384 hash: 8dace4a0b3b012e3a9b32ea2a13318bb727ff5aa1b23e2b742ab7262ca845bed1cfa44b7f27322ee81379968921ef5a7
SHA1 hash: 40327a7aec2b57fbe3aa7b4698d5facc1870eeda
MD5 hash: 077b9b86f7cab57cc5dd4932cbd04b48
humanhash: blue-lamp-oven-diet
File name:077b9b86f7cab57cc5dd4932cbd04b48.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:930'304 bytes
First seen:2023-12-01 04:05:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:fTfJ6KpXLhySBDOBGeipOF9oY23od+19AVaMsLyOtPwn:l6UXLDOBG1pA9oNod+7SaMCtP
Threatray 319 similar samples on MalwareBazaar
TLSH T1151523A5AFDC81A2D078507409A171809BFEFA631605E3D6F58C0747BFB3BF5992068B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe N-W0rm


Avatar
abuse_ch
N-W0rm C2:
5.188.159.44:58001

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
077b9b86f7cab57cc5dd4932cbd04b48.exe
Verdict:
Malicious activity
Analysis date:
2023-12-01 04:05:36 UTC
Tags:
purecrypter
Link:
https://app.any.run/tasks/6fcb5d41-0864-4bb8-96f4-e800cf10b85b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461559/
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Forced system process termination
Creating a process from a recently created file
Deleting a recently created file
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ba4d461d394b8345604518df33c0d7b09c2278c9fdf2dd747c28047d0c35cfe8
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6cbf8655-fede-496b-86e8-46f1ece4b5db
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1351066
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ba4d461d394b8345604518df33c0d7b09c2278c9fdf2dd747c28047d0c35cfe8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba4d461d394b8345604518df33c0d7b09c2278c9fdf2dd747c28047d0c35cfe8/
Threat name:
ByteCode-MSIL.Trojan.ZgRAT
Create hunting rule
Status:
Malicious
First seen:
2023-11-28 11:31:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjgumhjzjobukycfddpthqgxwcoce6gj7xzn25d4fach2dbvz7ua._file
Verdict:
malicious
Similar samples:
013910858eb170b1a636353c8a49230f53dc9fbeac783958b99ef5adf944db81
N-W0rm
3f26b871b1e556d19b67814d3a758316b655cd508be014a2eea2cf40e1371b94
N-W0rm
46f28066c02abc39d4f13b5370838c2e0b3d8471c8db9cc5079a41146edbfed7
N-W0rm
5a1cb4b73917ff451c7c30ac38de585d93649faafe963fe60f601d618e2db505
N-W0rm
ba4d461d394b8345604518df33c0d7b09c2278c9fdf2dd747c28047d0c35cfe8
N-W0rm
+ 309 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231201-enx1qaeh8t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Downloads MZ/PE file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
0f5fd84390e87a4e922b2b65de2e082dcbdb445d649bb2ccdec4279f1440fe9e
MD5 hash:
59cf6fef2d1a368706c7223891a77af9
SHA1 hash:
ce128062cf8b064f415a1a9960e7987f8e1b3110
Link:
https://www.unpac.me/results/5ced3871-3738-4fdc-a2c9-3fa425940b72/
SH256 hash:
4d4a12655d6a5e629ac582c3d27762f71e095b9a292884496c0db4f39b43ae71
MD5 hash:
77d378ed009d048e38023930db401655
SHA1 hash:
c0ac42ddfd187e96d01361232038af3d3d98486e
Link:
https://www.unpac.me/results/5ced3871-3738-4fdc-a2c9-3fa425940b72/
SH256 hash:
488a1e374668131b8899af13110486fd210df4363ee4f139516a9319e528b4d2
MD5 hash:
9cfbca880532bc38dc2cb7ddbdf2be5f
SHA1 hash:
6301e383f1aef06cf64950381eeca6839f963781
Link:
https://www.unpac.me/results/5ced3871-3738-4fdc-a2c9-3fa425940b72/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/5ced3871-3738-4fdc-a2c9-3fa425940b72/
SH256 hash:
cc28e979c60619c3e131dbfeb30370f929f14464728035235091c5a97554c13a
MD5 hash:
7ec5c8fefb58f594b188ee809c4483eb
SHA1 hash:
343be05943e261930ff918eba5e5c62c51c32d3a
Link:
https://www.unpac.me/results/5ced3871-3738-4fdc-a2c9-3fa425940b72/
SH256 hash:
d7f6ab0fe0b5af29135f4a2be5f6ad35308610e8fa3306c63ca54082c9936500
MD5 hash:
ec32d1bb9922300abbae55feced6a6f8
SHA1 hash:
e35ad773ff9acaa7786689b19de2af6d23fa0515
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/5ced3871-3738-4fdc-a2c9-3fa425940b72/
SH256 hash:
17f0d55e906dbdaf022fa5921dd5d2fd586b5305f1aac797b3771d1a96154856
MD5 hash:
43bd9286160c907e5cdedd066136023a
SHA1 hash:
dc45b4a33512dfbd3ff3bf51ee187cf500012bb9
Link:
https://www.unpac.me/results/5ced3871-3738-4fdc-a2c9-3fa425940b72/
SH256 hash:
1cef01252bed849e38fef8c7b9317285e5793b75b565e76677b0d180c7318711
MD5 hash:
1da0512e49b9a8c97845de4f488bda2e
SHA1 hash:
ad8f0c972d00e63ada7c4b764c5c51a59d840198
Link:
https://www.unpac.me/results/5ced3871-3738-4fdc-a2c9-3fa425940b72/
SH256 hash:
6d67a7cda50267da8e09feb8448c910c1e43a4a817397eb8142ff44605995248
MD5 hash:
43b8b7ccd128b055f05aa919a7461c85
SHA1 hash:
934b163233b93442b0a083c79cff7b922d682759
Link:
https://www.unpac.me/results/5ced3871-3738-4fdc-a2c9-3fa425940b72/
SH256 hash:
ba4d461d394b8345604518df33c0d7b09c2278c9fdf2dd747c28047d0c35cfe8
MD5 hash:
077b9b86f7cab57cc5dd4932cbd04b48
SHA1 hash:
40327a7aec2b57fbe3aa7b4698d5facc1870eeda
Link:
https://www.unpac.me/results/5ced3871-3738-4fdc-a2c9-3fa425940b72/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba4d461d394b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba4d461d394b8345604518df33c0d7b09c2278c9fdf2dd747c28047d0c35cfe8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/461559/

Comments