MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b15ef17ccb1a99c3953f61de01ebceaeef2277b3b5939408050dc7c1010d1bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 5


Intelligence 5 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b15ef17ccb1a99c3953f61de01ebceaeef2277b3b5939408050dc7c1010d1bb
SHA3-384 hash: 3d1f64638011f771c4b83be9c88c643285f386cae83c133bddceb2fc311a0221d0baf0865b67b4b07251298553af3b2a
SHA1 hash: 95d900e5915d99ad55fb24ed8c6d04a804035b45
MD5 hash: e33ca6e0ec223d2b3e958131424eff4a
humanhash: sad-cold-hawaii-bravo
File name:UNICEF COVID-19 APP.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'713'664 bytes
First seen:2020-03-16 11:52:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:Atb20pkaCqT5TBWgNQ7a5r9eU1q1ndOeBJ4OlOO5qVm7qv6A:JVg5tQ7a3eU1qZdR+Ool5
Threatray 933 similar samples on MalwareBazaar
TLSH 4285E02333DD8364CB7251B3BA166701AEBF7C2546A4F45B2FD8393DA9B0161122E673
Reporter cocaman
Tags:COVID-19 exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.2436.26200.22328.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.CAP_HookExKeylogger.21716.13449.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
1 / 100
Link:
https://www.joesandbox.com/analysis/334834
Behaviour
Behavior Graph:
n/a
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-16 16:22:00 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
27 of 30 (90.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmk66f6mwguzyokt6yo6ahv45lxpej33hnmtsqeakdohyeaq2g5q._file
Verdict:
malicious
Similar samples:
356d866f274623590c024a10727dc8cb49a79215b671cebe0e64a406cc0e7b77
NetWire
68f746d2933821737aafcf2bc00db8b8f2db8fe6b6aec4ea25eb0bf31b1c370b
NetWire
69a72a4e6627e9d4f81f2a4a7d83438fa05301a909093a2e86284d2bd3f9bbaf
NetWire
7e08e758f9ab52f92fb38a7d7f114ea84df6804105def422feadb8f631a6c8af
NetWire
80f56695aceb9a29286d4ca72ca2d54c02aeb3e2f22167392306701ed91a281e
NetWire
916e4a56e4263ba232f9d942d2818560c5c4b973187db81a42e6fc39de7a2852
NetWire
96e185894358d0c8c7f977fa2a586e6cf9e6e71ed2d6d23081633cd9d19c5367
NetWire
9bef20b54e2e90ef3afb0cc692ee0a4f5e843f38a3bd75aaee29e506f27d6b32
NetWire
b6b19634b174ec68dacf4a4f936d8ad91e4374737de56f1e3995b51f778f755b
NetWire
c2d6a58ae4cc93b225f512a127c751c63398d0fdb7f847b77c83cad6cb79e6bd
NetWire
+ 923 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b15ef17ccb1a99c3953f61de01ebceaeef2277b3b5939408050dc7c1010d1bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_netwire_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

arj db5038d60d1f0ee2f57fe0b3ee12f80ff10a90e088bd3316632036f4238823bf

NetWire

Executable exe 1b15ef17ccb1a99c3953f61de01ebceaeef2277b3b5939408050dc7c1010d1bb

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 db5038d60d1f0ee2f57fe0b3ee12f80ff10a90e088bd3316632036f4238823bf
  
X
https://twitter.com/cocaman/status/1239521008979189762

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments