MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
SHA3-384 hash: 09003a2ed9bda50c386762831ee2f69f125194e6aaa13be800554a84bf48d1ba92e2654b25ec53e70ca83f53b3e42788
SHA1 hash: e6cc0ef23044de9b1f96b67699c55232aea67f7d
MD5 hash: 6b23cce75ff84aaa6216e90b6ce6a5f3
humanhash: early-delta-illinois-table
File name:110620.doc
Download: download sample
Signature NetWire
Create hunting rule
File size:7'676'928 bytes
First seen:2020-06-12 10:57:43 UTC
Last seen:2020-06-12 11:59:19 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 49152:GI3M51kvB7YHve+tPHAUpS60t4+6mEuKsXtz5LlqCO4n44m4uXkyNR4Ss3NZx:GuMPkvdYbgUpShGmZfXZZ1O7NRzG
TLSH 50762AA33656AF27D5124135E399CBBE723BCC044A91826711C9DF37B83B894AD25F0E
Reporter JAMESWT_WT
Tags:doc NetWire RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43326580.6085.15148.UNOFFICIAL
Create hunting rule

Result
Threat name:
NetWire Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/371634
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 237826 Sample: 110620.doc Startdate: 11/06/2020 Architecture: WINDOWS Score: 100 48 ipv4.imgur.map.fastly.net 2->48 50 i.imgur.com 2->50 52 creativecommons.org 2->52 76 Document exploit detected (drops PE files) 2->76 78 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->78 80 Yara detected Parallax RAT 2->80 82 9 other signatures 2->82 10 WINWORD.EXE 469 408 2->10         started        14 iexplore.exe 2->14         started        16 taskeng.exe 2->16         started        signatures3 process4 file5 44 C:\Users\user\AppData\Local\Temp\ands.dll, PE32+ 10->44 dropped 46 C:\Users\user\Desktop\~$110620.doc, data 10->46 dropped 94 Document exploit detected (creates forbidden files) 10->94 96 Hijacks the control flow in another process 10->96 98 Writes to foreign memory regions 10->98 100 Document exploit detected (process start blacklist hit) 10->100 18 runonce.exe 13 10->18         started        22 iexplore.exe 14->22         started        24 ie4uinit.exe 14->24         started        signatures6 process7 dnsIp8 54 pastebin.com 104.23.98.190, 443, 49158 unknown United States 18->54 40 C:\Users\user\AppData\...\1508670473.exe, PE32 18->40 dropped 26 1508670473.exe 18->26         started        56 pixel.wp.com 192.0.76.3, 443, 49204, 49205 AUTOMATTIC-AutomatticIncUS United States 22->56 58 cdnjs.cloudflare.com 104.16.133.229, 443, 49172, 49173 unknown United States 22->58 60 9 other IPs or domains 22->60 29 ssvagent.exe 22->29         started        file9 process10 signatures11 86 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->86 88 Hijacks the control flow in another process 26->88 90 Writes to foreign memory regions 26->90 92 2 other signatures 26->92 31 notepad.exe 26->31         started        process12 dnsIp13 64 ipv4.imgur.map.fastly.net 151.101.12.193, 443, 49159, 49160 unknown United States 31->64 66 i.imgur.com 31->66 68 System process connects to network (likely due to code injection or exploit) 31->68 70 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->70 72 Hijacks the control flow in another process 31->72 74 3 other signatures 31->74 35 cmd.exe 31->35         started        signatures14 process15 dnsIp16 62 sanchezemergycorp.com 94.23.29.132, 49161, 5566 unknown France 35->62 42 C:\Windows\Tasks\regsvr.job, VAX-order 35->42 dropped 84 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->84 file17 signatures18
Gathering data
Threat name:
Script-Macro.Downloader.PowDow
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 06:52:37 UTC
File Type:
Document
Extracted files:
14
AV detection:
18 of 48 (37.50%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=secqawcr7p32pv2xccopnfzdpqdwnzuurr6yqce2y3hsl7q6tmkq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro
Link:
https://tria.ge/reports/201109-kq9z8zp41j/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments