MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 134e51b800db1c1a5696a4624bc1693fab9019e81ea0a43af7067e00f6cd5b67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 134e51b800db1c1a5696a4624bc1693fab9019e81ea0a43af7067e00f6cd5b67
SHA3-384 hash: c6773085340024418d850e4aed32822f1f445977804bbf736fd9e217abaae8b97eb5441c097804a75b7a2398e3b5bdd6
SHA1 hash: 54bf206b14af453836c4cf778301a50167d14e28
MD5 hash: ad4264204214a9bc4941f0f5011de1e4
humanhash: jersey-ten-vegan-mexico
File name:SecuriteInfo.com.MSIL.Kryptik.VYF.4899
Download: download sample
Signature NetWire
Create hunting rule
File size:873'984 bytes
First seen:2020-05-18 10:33:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:s63eJnexUZEt6SvpnqQtZjZeopBMmwPtbg7DFM1nBJKSgb3r:cTSvMQtZjnYVUDO1BJHW3r
Threatray 735 similar samples on MalwareBazaar
TLSH FA059D2934928468D53AC23260699DC6B63E2A8237D68B9F77DF530C5F0328F773958D
Reporter SecuriteInfoCom
Tags:NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VYF.4899.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-18 07:40:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnhfdoaa3mobuvuwurrexqljh6vzagpid2qkioxxaz7ab5wnlntq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2c13ec5658318ce81c8da312fc020d69b881cd98ac01f7dae28c7e0150ce1698
NetWire
38cab7aaec4c38fcb5a56b1006e584c329513147d22738258f4428c2568d92a5
NetWire
55b9d7cc4b318717f3c48239616132442ee5815c4897d3b154444b825b44657b
NetWire
5d4d3a449bd4ed7a879d585c182bad5d7f0ee24d04bc862e5043c344f2bd6f86
NetWire
664be65b2f620c8af70ddcf992b2a85ea9a367fafecc0bc3e3fc001552fe4940
NetWire
668c31c58c0816f31b863d088cb88ff43f7c69aeae0e21734f96dd9a5992a872
NetWire
ba4efa15d257c04c9a2cee7ba9b4deb618c77ad7afb0a42c62a6f2151d4127cc
NetWire
c7ec629a5196371b92017267aa3f51ad05d246bd72911bc24e4d2f47605e533b
NetWire
cf30b045e8188ea315a78544ab537ac92dbb76032af641c6fa9c7d1f0af8c995
NetWire
e6b62ef1705eb10b32890c775836744bb1bd996aa60d34181a088fea4ac7125a
NetWire
+ 725 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-xhm3n48czs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Modifies service
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments