MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c69d4f3d3488730af36bd778d4b976746743389f89f99f7747d82717ed5e4679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

N-W0rm

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	c69d4f3d3488730af36bd778d4b976746743389f89f99f7747d82717ed5e4679
SHA3-384 hash:	085b4e37b216089ebb9129cbc8b0a9234f090bf9b017971395c7753e5a0715ccc33694e29adadd94f22ccf955fd1e561
SHA1 hash:	5434c5826d32c2db3704cf08c5a7f144c240a999
MD5 hash:	90bc6846262503af47f225431c9d58c6
humanhash:	vermont-hamper-bulldog-cat
File name:	c69d4f3d3488730af36bd778d4b976746743389f89f99.exe
Download:	download sample
Signature	N-W0rm Create hunting rule
File size:	381'444 bytes
First seen:	2022-03-11 09:11:22 UTC
Last seen:	2022-03-11 10:46:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fd0ede3c5c8544ae63b9b4361c8fee0a (1 x N-W0rm, 1 x RedLineStealer)
ssdeep	6144:lxahm9655Zlzrpe28EhmQyjgFoR3PImtl+ZjIDhAl:7as98pzMbEhmQcgFoAql+ODC
Threatray	1'794 similar samples on MalwareBazaar
TLSH	T1E284F132BAD1C036C16395316875C6B5663EB4324BBAC54B3B744B390E713929BFB306
File icon (PE):
dhash icon	006460d02cd9d099 (1 x N-W0rm)
Reporter	abuse_ch
Tags:	exe N-W0rm

abuse_ch

N-W0rm C2:
193.106.191.67:44400

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.106.191.67:44400	https://threatfox.abuse.ch/ioc/393504/

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/249350/

Detection(s):

SecuriteInfo.com.Packed-GDT90BC68462625.23451.21424.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware overlay

Link:

https://www.filescan.io/uploads/622b126cb94fb38cb45ad7fd/reports/966406fd-2d76-49e5-990f-834a9163a393/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/29843533-47ad-4db0-b245-1ad74063e68f

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/954763

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c69d4f3d3488730af36bd778d4b976746743389f89f99f7747d82717ed5e4679/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2022-03-11 09:12:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y2ou6pjurbzqv43l254njolwortugoe7rh4z652h3atrp3k6iz4q._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:ww infostealer

Link:

https://tria.ge/reports/220311-k6a7kabhcq/

Behaviour

Suspicious use of AdjustPrivilegeToken

RedLine

RedLine Payload

Malware Config

C2 Extraction:

193.106.191.67:44400

Unpacked files

SH256 hash:

872b70cbcfff347c037512b7cdb4f20bbbe12a7d4f626b3bd603fecc9d223dbb

MD5 hash:

7e000a1b4de1235793d391334171388f

SHA1 hash:

47a9873f8d1020549fb2f73d514012e31ab02b90

Link:

https://www.unpac.me/results/23e4f144-6769-48f2-a7fb-dcbeceecbdbe/

SH256 hash:

eb0a7dc62ba84361a80f8a9c17b8f8b4de58a2a4aaa474f99e25635ab4489e2d

MD5 hash:

50546a24f684d707b9dd0693180abb2c

SHA1 hash:

4473333d79a4dd6f251e2c4e60b6e89b09de8e14

Link:

https://www.unpac.me/results/23e4f144-6769-48f2-a7fb-dcbeceecbdbe/

SH256 hash:

1d877b01e1bd2207a6cc755e69fc4cd1d2eaadc20d2158c016ddc748e0e432b6

MD5 hash:

9f70fd3bf3906c87b7d3639c34817f89

SHA1 hash:

3e159a286a7ff698db4f28958501d211d345ae2e

Link:

https://www.unpac.me/results/23e4f144-6769-48f2-a7fb-dcbeceecbdbe/

SH256 hash:

c69d4f3d3488730af36bd778d4b976746743389f89f99f7747d82717ed5e4679

MD5 hash:

90bc6846262503af47f225431c9d58c6

SHA1 hash:

5434c5826d32c2db3704cf08c5a7f144c240a999

Link:

https://www.unpac.me/results/23e4f144-6769-48f2-a7fb-dcbeceecbdbe/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/c69d4f3d3488/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c69d4f3d3488730af36bd778d4b976746743389f89f99f7747d82717ed5e4679

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249350/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample