MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bb5235e01056ce0d340a3042095fd29cb416e8f6a8843e3db9d547177fa1313. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bb5235e01056ce0d340a3042095fd29cb416e8f6a8843e3db9d547177fa1313
SHA3-384 hash: 9645a7ff1c3f95c4e1d6d84cb8235133bb6d7fa066f80912828560b38efff0b9593e500d7d9622bb08776ee896ba88de
SHA1 hash: de3f189379a09362df6354f14af3ca3be8376d98
MD5 hash: 5fa617ebb00ea5ddb642f6a7f49e76c1
humanhash: snake-golf-cold-video
File name:de3f189379a09362df6354f14af3ca3be8376d98.bin
Download: download sample
File size:2'829'033 bytes
First seen:2020-08-20 17:05:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1b23797a66be4be12852ee93c69924f (1 x Formbook)
ssdeep 49152:A4Cs0pAYVErBBknH9f+ZAkeeawVblVycPhWWRjtccu/m:gXEudqeG870fqm
Threatray 6 similar samples on MalwareBazaar
TLSH C5D5EF2ACD2C5FA5E51A4CF1DCEE9E3D4C57ACC970018605E264FD84EFE379B926201A
Reporter Abjuri5t
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49235/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34385595.27865.7303.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Setting a global event handler
Sending a custom TCP request
DNS request
Sending a UDP request
Sending an HTTP GET request
Setting a global event handler for the keyboard
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/442126
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Connects to many ports of the same IP (likely port scanning)
Contain functionality to detect virtual machines
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NetWire
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 273655 Sample: SJNRsFNyLl.bin Startdate: 22/08/2020 Architecture: WINDOWS Score: 100 65 Potential malicious icon found 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 11 other signatures 2->71 9 SJNRsFNyLl.exe 2->9         started        12 Cunioa.exe.exe 2->12         started        14 Cunioa.exe.exe 2->14         started        process3 signatures4 87 Detected unpacking (changes PE section rights) 9->87 89 Contain functionality to detect virtual machines 9->89 16 SJNRsFNyLl.exe 1 20 9->16         started        91 Antivirus detection for dropped file 12->91 93 Detected unpacking (overwrites its own PE header) 12->93 95 Machine Learning detection for dropped file 12->95 21 Cunioa.exe.exe 12->21         started        97 Injects a PE file into a foreign processes 14->97 23 Cunioa.exe.exe 14->23         started        process5 dnsIp6 55 185.86.106.226, 1972, 49735 OBE-EUROPEObenetworkEuropeSE Sweden 16->55 57 malev-bg.com 193.107.36.110 SUPERHOSTING_ASBG Bulgaria 16->57 59 2 other IPs or domains 16->59 39 C:\Users\user\...\b8UroCzXKko7mjSL.exe, PE32 16->39 dropped 41 C:\Users\user\AppData\...\jannetw[1].exe, PE32 16->41 dropped 43 C:\Users\user\AppData\Local:22-08-2020, HTML 16->43 dropped 73 Creates files in alternative data streams (ADS) 16->73 75 Hides threads from debuggers 16->75 77 Injects a PE file into a foreign processes 16->77 25 b8UroCzXKko7mjSL.exe 1 2 16->25         started        29 SJNRsFNyLl.exe 24 16->29         started        file7 signatures8 process9 file10 45 C:\Users\user\AppData\...\Cunioa.exe.exe, PE32 25->45 dropped 99 Antivirus detection for dropped file 25->99 101 Detected unpacking (changes PE section rights) 25->101 103 Detected unpacking (overwrites its own PE header) 25->103 107 5 other signatures 25->107 31 b8UroCzXKko7mjSL.exe 2 25->31         started        47 C:\Users\user\Desktop\Unknown.dll, PE32 29->47 dropped 49 C:\Users\user\Desktop\...\vcruntime140.dll, PE32 29->49 dropped 51 C:\Users\user\Desktop\...\softokn3.dll, PE32 29->51 dropped 53 17 other files (none is malicious) 29->53 dropped 105 Injects a PE file into a foreign processes 29->105 33 SJNRsFNyLl.exe 3 29->33         started        signatures11 process12 dnsIp13 61 www.xenarmor.com 33->61 63 xenarmor.com 69.64.94.128 CODERO-DFWUS United States 33->63 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->79 81 Tries to steal Instant Messenger accounts or passwords 33->81 83 Tries to steal Mail credentials (via file access) 33->83 85 Tries to harvest and steal ftp login credentials 33->85 37 conhost.exe 33->37         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bb5235e01056ce0d340a3042095fd29cb416e8f6a8843e3db9d547177fa1313/
Threat name:
Win32.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 11:35:02 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0f73e9d58b85ae9061722f0720ab2f76f9884042b9ac260e5c102564d4572004
9dbd3d33f93d61659ba4cf9213ed43b694f091bd08ba634595f68576f0881fcf
ae56d57584819808e38b6b430dd066a14cc036cec568a0832de08e3f65bccc87
d12a70b8a6d3ffadc322706397e3bf624ffe8b1917b566686997f4012db0fff7
d701dbbe5d989ef6ec473fbf061f93291ad3bf8c78796fd55afca9b5ba18872c
f86974cc3a2a1d06dcc4effe66d6e27380dd4e4e4fe254a1b88a3ea3c7e681c4
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200820-pk4byl8jbs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bb5235e01056ce0d340a3042095fd29cb416e8f6a8843e3db9d547177fa1313

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8bb5235e01056ce0d340a3042095fd29cb416e8f6a8843e3db9d547177fa1313

(this sample)

  
Link
https://www.vmray.com/analyses/555389db97e9/report/files.html
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/49235/

Comments