MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d26a5cf8e279ddaa3ad924224219b550f7d431e8d6adbcb7bd36c01d4eae2d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d26a5cf8e279ddaa3ad924224219b550f7d431e8d6adbcb7bd36c01d4eae2d9
SHA3-384 hash: 110d1db4ddaba29122c76c3e54d2926ad125d91f9a5403c9eb1771df872e965451c1f7e8fccb62d8b9b41431ac8083f5
SHA1 hash: 77cf2383795bc2738a266def491770121493f439
MD5 hash: ad5d0ee9895fba1a57c2042db6997143
humanhash: salami-beryllium-table-saturn
File name:BANK SLIPS-pdf.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:671'232 bytes
First seen:2020-05-28 10:40:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d288dc5caa33b7016aaba80a9d6ba09 (4 x AgentTesla, 1 x FormBook, 1 x NetWire)
ssdeep 12288:1EXTxRvHr3x2NRWc9Wt8PjIOrtkroeUp6He73uGBYrdXXu88aFKk94hh5Phi4gHB:6j7Hr3xcRWonPjIOrtkroeUp6He73uGi
Threatray 4'375 similar samples on MalwareBazaar
TLSH 19E49E22F2A05C33C15F167D5D3BA77CA826BE513A6815722BF5DC4C9F29381393B286
Reporter jarumlus
Tags:NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 09:17:26 UTC
File Type:
PE (Exe)
Extracted files:
228
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
040e2a7b73768aea00579bd04fa834afa4b33966459c4c9d4c4cddfb7cffe8c0
NetWire
1c7388bfdfb41e34dc95423b351d3b18d737889d9f8648da0ce24048d6e2f495
NetWire
1d24189fffd0bdcb0395a3670721f29f37d08bd80565471db28d45ac36b2cbc9
NetWire
2fdb0d7b083751a10db872738e974f869b99f2ca21891a5fb96bc9440f827ffb
NetWire
3f256c15a96f8f556978318a55308e3ef709f29d93a18d0c2d262f305477cfb2
NetWire
490a783bc399cb6dd9b64ecc8d0f909830fe1a351d18f148493fcdf6eefb52cd
NetWire
5ef5d6bc0c7af14274c71cdc4377785a79143786556262137f496a94170ac56b
NetWire
811b6950ba9561169b22ccfc12daf0fc57f26a910272f56288bd0d7c10da5c15
NetWire
bca55e158b112f5d776f4402d48cdfaf5ae42b4d8f2e063ac69ba2405bfcc60a
NetWire
c303fb93eba5623184f5bfb8fefbea2458e25ead795e6d5c5d5e78e921c6490e
NetWire
+ 4'365 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-cjh988pkn2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nyoxibwer.com/hm2/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip d27912f5594adcf580dd98a2cb9a3f684c98c3bf2d5eaea1452fa33e687df1f9

NetWire

Executable exe 1d26a5cf8e279ddaa3ad924224219b550f7d431e8d6adbcb7bd36c01d4eae2d9

(this sample)

  
Dropped by
MD5 7ee688c5071c5f8abf8994e6d98d3b81
  
Dropped by
SHA256 d27912f5594adcf580dd98a2cb9a3f684c98c3bf2d5eaea1452fa33e687df1f9
  
Delivery method
Distributed via e-mail attachment

Comments