MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ad6ce8aaf456bd0cfd4ea3f7be02d9d08b5e74249e1bb49be61ff58ed61f675. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ad6ce8aaf456bd0cfd4ea3f7be02d9d08b5e74249e1bb49be61ff58ed61f675
SHA3-384 hash: dfbbb748094d201bbec779a6fbc8e75816cb0531c259dc2df20b938595e4902389f5f573d8b33fdb0acf8073567ce059
SHA1 hash: 2d1856f0a3e0c708e1f40cf7402db666798497fa
MD5 hash: 816565c6d0ace2591a8d1a0b6131f9f4
humanhash: wolfram-uncle-fanta-lemon
File name:Quote For Invoice_PDF.vbs
Download: download sample
Signature NetWire
Create hunting rule
File size:4'845'109 bytes
First seen:2020-11-14 11:55:21 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 49152:OKxwklfGjE0JF6PZXed++G02KspjZ/ynOBiPD8sVdnkGvzF2+FyiAjG5bCc23PnM:0
TLSH 562665335D23766F5A8EBFEC6292C4E3CC81E072F6FD15AE0C609AD4AF18451BB91911
Reporter Racco42
Tags:vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a process from a recently created file
Result
Gathering data
Result
Threat name:
NetWire AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/534779
Signature
.NET source code contains very large array initializations
Benign windows process drops PE files
Contains functionality to hide a thread from the debugger
Contains functionality to steal Chrome passwords or cookies
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: NetWire
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 316489 Sample: Quote For Invoice_PDF.vbs Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 64 alkaline.publicvm.com 2->64 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Yara detected NetWire RAT 2->76 78 7 other signatures 2->78 10 wscript.exe 3 2->10         started        14 file.exe 2->14         started        16 file.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 file5 60 C:\Users\user\AppData\Local\Temp\name.exe, PE32 10->60 dropped 62 C:\Users\user\AppData\Local\Temp\file.exe, PE32 10->62 dropped 100 Benign windows process drops PE files 10->100 20 file.exe 1 3 10->20         started        24 name.exe 3 3 10->24         started        102 Writes to foreign memory regions 14->102 104 Hides threads from debuggers 14->104 106 Injects a PE file into a foreign processes 14->106 26 RegSvcs.exe 14->26         started        28 WerFault.exe 14->28         started        108 Creates autostart registry keys with suspicious names 16->108 110 Creates multiple autostart registry keys 16->110 30 WerFault.exe 18->30         started        33 RegSvcs.exe 18->33         started        35 aspnet_wp.exe 18->35         started        37 WerFault.exe 18->37         started        signatures6 process7 dnsIp8 56 C:\Users\user\AppData\Roaming\...\file.exe, PE32 20->56 dropped 80 Multi AV Scanner detection for dropped file 20->80 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->82 84 Creates an undocumented autostart registry key 20->84 92 2 other signatures 20->92 39 RegSvcs.exe 2 20->39         started        42 WerFault.exe 23 9 20->42         started        58 C:\Users\user\AppData\Roaming\...\name.exe, PE32 24->58 dropped 86 Machine Learning detection for dropped file 24->86 88 Creates multiple autostart registry keys 24->88 90 Drops PE files to the startup folder 24->90 44 WerFault.exe 24->44         started        46 aspnet_wp.exe 2 24->46         started        66 192.168.2.1 unknown unknown 30->66 file9 signatures10 process11 dnsIp12 94 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 39->94 96 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 39->96 49 file.exe 44->49         started        68 alkaline.publicvm.com 192.3.3.144, 1777, 49725, 49728 AS-COLOCROSSINGUS United States 46->68 98 Contains functionality to steal Chrome passwords or cookies 46->98 signatures13 process14 signatures15 70 Hides threads from debuggers 49->70 52 RegSvcs.exe 49->52         started        54 WerFault.exe 49->54         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ad6ce8aaf456bd0cfd4ea3f7be02d9d08b5e74249e1bb49be61ff58ed61f675/
Threat name:
Script-VBS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 11:56:07 UTC
AV detection:
11 of 48 (22.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hllm5cvpivv5bt6u5i7xxybntuellz2cjhq3wsn6mh7vr3lb6z2q._file
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet evasion persistence rat stealer
Link:
https://tria.ge/reports/201114-xyymshrwjx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
ServiceHost packer
Modifies WinLogon for persistence
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_netwire_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Visual Basic Script (vbs) vbs 3ad6ce8aaf456bd0cfd4ea3f7be02d9d08b5e74249e1bb49be61ff58ed61f675

(this sample)

AgentTesla

Executable exe 4c482b22456df2e37106d59a8afeccdeb736ee89b13b3de6968acee2f3ce9f25

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4c482b22456df2e37106d59a8afeccdeb736ee89b13b3de6968acee2f3ce9f25
  
Dropping
SHA256 883cd4d75f7b0276880dce818338ff51790f28cdf753096fdf63190804a12aa4

Comments