MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b19739ad003d5bbd5f2fcc99f0d19d22cb389ae78ca81f31472cff469e53cf2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b19739ad003d5bbd5f2fcc99f0d19d22cb389ae78ca81f31472cff469e53cf2c
SHA3-384 hash: 5673ec25b228de32d4ceb50b3dd171a3b3918fcf7e19f27d595d6bf39a098f522474de22ddcbbdea9684d9eaf2b484c3
SHA1 hash: 163ebc2f064facaea74479df340e6c8d96276661
MD5 hash: ead7a883e3171b51d44fc46fcf0a6fa2
humanhash: jersey-robin-mars-yankee
File name:95054CF.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:765'952 bytes
First seen:2020-10-01 11:12:26 UTC
Last seen:2020-10-01 11:50:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7b77a61ee24ce08cb29799de7a6bade (1 x NetWire)
ssdeep 12288:XDykuCYYDBdxVbkV7GH7lsNSfrkatm5fbgZj0Y5tjMIm1h8Cb64tFvFtVeQCtpHf:XDykupgxVbQGbqNGrZtm920DhZ64tZ34
Threatray 2'377 similar samples on MalwareBazaar
TLSH 5DF43375E158F032FC101E33B9049DD9A139BA11AF588D1AB8FE361D61718ECAB13A4F
Reporter srcr
Tags:exe NetWire PonyStealer


Avatar
srcr
Sample source: http://publineon.com/wp-includes/js/dab/95054CF.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/67391/
Detection(s):
SecuriteInfo.com.Heur.PonyStealer.Um0@ci9nxBpG.18239.11306.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Deleting of the original file
Enabling autorun
Result
Threat name:
Netwire
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/479249
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b19739ad003d5bbd5f2fcc99f0d19d22cb389ae78ca81f31472cff469e53cf2c/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-10-01 11:14:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wglttliahvn32xzpzsm7bum5elftrgxhrsub6mkhft7unhstz4wa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0c017b57d7f1cbfa01f54deb15b7f04b8923acd4585435050589b1762856247e
NetWire
150b2b068639c918e134e69b557f929dea81cf3a6d563aba39640227bdd029d3
NetWire
249e738650027df7635aa70373e2e2f936eb58e1a208fdc8df9ee2f66e4cb9e3
NetWire
6da998a52419846d81837d9a88d0b1e02f1816adf89ff6e91bb5de5c57abcc9a
NetWire
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
NetWire
a8327d7e2395ea7fb71062275b3a7f24ce586d7ccd0301ed2a1df1699e2d9b9b
NetWire
c2382986d2bacaacd5399abca6ba33ee39fec2e9f331b8493a7511bc23578adc
NetWire
cfad7f3408fcc08ca91d0e0fe624088c1c2fda17b460e17812c0362061124b18
NetWire
d488a34718cf2db560dd4c62ccb5fac527cc192716c2d166a71f98abd384aba6
NetWire
e5b32b4bb73f9bf50a9e4e3236ea3bf54577675b46d98deb142d668e7ea1653a
NetWire
+ 2'367 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201001-evbtpftrj6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Deletes itself
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
b19739ad003d5bbd5f2fcc99f0d19d22cb389ae78ca81f31472cff469e53cf2c
MD5 hash:
ead7a883e3171b51d44fc46fcf0a6fa2
SHA1 hash:
163ebc2f064facaea74479df340e6c8d96276661
Link:
https://www.unpac.me/results/1af04d70-e84d-4fc6-b78b-8c745280b152/
SH256 hash:
fbeb9303e33f1dd39b27bddade0eba4cf34335c517953e70df01621f0f87a291
MD5 hash:
a7814d78760fe04673ef064c8b6133e3
SHA1 hash:
441094086d7ddab27aa204189650cb394ecca9b4
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/1af04d70-e84d-4fc6-b78b-8c745280b152/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b19739ad003d5bbd5f2fcc99f0d19d22cb389ae78ca81f31472cff469e53cf2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/67391/

Comments