MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5ee8f5810eb5518c8481f845d0bbbdb3e7e1709baeafc3ef7479affd314e91f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	b5ee8f5810eb5518c8481f845d0bbbdb3e7e1709baeafc3ef7479affd314e91f
SHA3-384 hash:	637ec0fb5de8b9c36a07264592922f3360cd6b386b457cd876fe2ab6eab8ed3afb282db6a32fa212ae6944d1e137f16f
SHA1 hash:	615302fc70f9f60b5495cfd8b81e4c1be28ef87f
MD5 hash:	e8d0ce1d7b79d9c32f2263277f009ebf
humanhash:	edward-crazy-social-two
File name:	Scan00198.docm.vbs
Download:	download sample
Signature	NetWire Create hunting rule
File size:	234'281 bytes
First seen:	2020-09-01 14:56:14 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	3072:n6U3s9QLgIEoJ3929QeHsYDKhsW9H/nS/UgaR+CZp8Vigs+WGyo:n67WT9Jt2rsYDjW9HfeUdR+CZpfgJWto
TLSH	8F34F63003463C9AFA947ECBD9503BB54C7E3BD34242D479980BE662BAE91181EBF475
Reporter	cocaman
Tags:	NetWire vbs

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Netwire

Link:

https://www.capesandbox.com/analysis/54068/

Detection(s):

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL

Sanesecurity.Malware.26270.JsHeur.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/456735

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Contains functionality to log keystrokes

Machine Learning detection for dropped file

Multi AV Scanner detection for submitted file

Potential malicious VBS script found (has network functionality)

Sigma detected: NetWire

VBScript performs obfuscated calls to suspicious functions

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5ee8f5810eb5518c8481f845d0bbbdb3e7e1709baeafc3ef7479affd314e91f/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-09-01 14:58:06 UTC

File Type:

Text (VBS)

AV detection:

11 of 29 (37.93%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wxxi6waq5nkrrscid6cf2c533m7h4fyjxlvpypxxi6np7uyu5epq._file

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/200901-46qxx6gl5s/

Behaviour

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Dropper

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/b5ee8f5810eb5518c8481f845d0bbbdb3e7e1709baeafc3ef7479affd314e91f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

URLhaus

https://urlhaus.abuse.ch/url/451168/

Cape

https://www.capesandbox.com/analysis/54068/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample