MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4158ad6eca8c3087ed221953f7a69d3d40a772c5af415f32e110a46da8a9f8ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4158ad6eca8c3087ed221953f7a69d3d40a772c5af415f32e110a46da8a9f8ac
SHA3-384 hash: 2544704ec5c509ec19aaf3f987c9903c9677f86a5c0f007158b11aeabfa86d9ac6f20e5df4be6b39f3aee7d8185d73fd
SHA1 hash: 4fcee916f618c94caa9d3666110001d5c3fd26e5
MD5 hash: 998d77ec36ff4f18a30801497b4a3941
humanhash: comet-lactose-stairway-july
File name:CE348B6FC28E8FCF0CC7564E2DEED66A.ps1
Download: download sample
File size:803'165 bytes
First seen:2020-06-24 10:08:33 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12288:FYqarzSlfVPsO2UsDPltGaRxoFTsvvdVNCffRw4vfWltWnpkLrnBahc0mq8j03nF:V
TLSH F005C8E63973E55F00468771364A56EF88EACA01C68E7146B4CCDDAAE1FD9F2364C2C1
Reporter JAMESWT_WT
Tags:NetWalker Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'180
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Troj.NetWalk-B.9543.5476.UNOFFICIAL
Create hunting rule

Result
Threat name:
Netwalker
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/379200
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 241739 Sample: hurry.ps1 Startdate: 26/06/2020 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Found ransom note / readme 2->45 47 3 other signatures 2->47 7 powershell.exe 33 2->7         started        process3 file4 25 C:\Users\user\AppData\...\hkeelrhg.cmdline, UTF-8 7->25 dropped 27 C:\Users\user\AppData\Local\...\1kvldxex.0.cs, C++ 7->27 dropped 49 Injects code into the Windows Explorer (explorer.exe) 7->49 51 Writes to foreign memory regions 7->51 53 Compiles code for process injection (via .Net compiler) 7->53 55 2 other signatures 7->55 11 explorer.exe 1 7 7->11 injected 15 csc.exe 3 7->15         started        17 csc.exe 3 7->17         started        19 conhost.exe 7->19         started        signatures5 process6 file7 29 C:\Users\user\Searches\0B96C5-Readme.txt, ASCII 11->29 dropped 31 C:\Users\user\Favorites\0B96C5-Readme.txt, ASCII 11->31 dropped 33 C:\Users\user\Desktop\...\ZTGJILHXQB.docx, data 11->33 dropped 39 8 other files (7 malicious) 11->39 dropped 57 Writes a notice file (html or txt) to demand a ransom 11->57 59 Modifies existing user documents (likely ransomware behavior) 11->59 35 C:\Users\user\AppData\Local\...\hkeelrhg.dll, PE32 15->35 dropped 21 cvtres.exe 1 15->21         started        37 C:\Users\user\AppData\Local\...\1kvldxex.dll, PE32 17->37 dropped 23 cvtres.exe 1 17->23         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4158ad6eca8c3087ed221953f7a69d3d40a772c5af415f32e110a46da8a9f8ac/
Threat name:
Script-PowerShell.Ransomware.NetWalker
Create hunting rule
Status:
Malicious
First seen:
2020-06-23 20:17:08 UTC
File Type:
Text (PowerShell)
AV detection:
26 of 48 (54.17%)
Threat level:
  5/5
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments