MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5d3c1c7cd8f5545abb3c07b6a5676c1a4979acdcb14e180591a5c36f8cfcebf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5d3c1c7cd8f5545abb3c07b6a5676c1a4979acdcb14e180591a5c36f8cfcebf
SHA3-384 hash: 2f7637c4760e7e7cce61e6663ad82861b75f2a7357fcadb557284ad15b5a105f6ce58eab78eb4cdd62a2431e34a66c03
SHA1 hash: ea84805a9d4e45aba026033a15730678fb6ac957
MD5 hash: be2cc1521dcc84524d3ed8f294eef607
humanhash: fanta-cola-ten-kansas
File name:Orden de compra mv85894.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:984'704 bytes
First seen:2021-06-13 08:32:57 UTC
Last seen:2021-06-13 09:34:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a08047ed05d96265100ca97553e90f55 (1 x NetWire)
ssdeep 12288:qKWXw4bc1NhDVFvci6VXI7ikDOHFR6ly2WGTZt6zqX0uNb+T0HXX+jBnnXLVgKRs:q5XYfDjAVrk6FIl5Ztmq/XQB/E
TLSH 26254A59A243C9F0E92727B84C2956A8D4EA7D333B748C4A25B07A4C79FF2903D1DD87
Reporter GovCERT_CH
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
488
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Orden de compra mv85894.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-13 08:37:20 UTC
Tags:
installer
Link:
https://app.any.run/tasks/d29734e6-80c8-4c21-852f-1d9e384797ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166305/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4d82729-2860-40a9-be00-ffce619ac230
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/801280
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5d3c1c7cd8f5545abb3c07b6a5676c1a4979acdcb14e180591a5c36f8cfcebf/
Threat name:
Win32.Infostealer.BestaFera
Create hunting rule
Status:
Malicious
First seen:
2021-06-11 17:09:35 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yxj4dr6nr5kulk5tyb5wuvtwygsjpgwnzmkodaczdjodn6gpz27q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210613-4lw4hw3w7n/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
5381c6276fc0f552d71efe7fb4d43a9e1a1e776c4cb7a572f72207b777ff2a32
MD5 hash:
3e9b080fb62948db627a904b7af653ea
SHA1 hash:
93a66126bdeb846724b41d44c6a7cac15c5ed636
Link:
https://www.unpac.me/results/d5e2bffb-25fa-4690-9dc7-01fb7a895e65/
SH256 hash:
c5d3c1c7cd8f5545abb3c07b6a5676c1a4979acdcb14e180591a5c36f8cfcebf
MD5 hash:
be2cc1521dcc84524d3ed8f294eef607
SHA1 hash:
ea84805a9d4e45aba026033a15730678fb6ac957
Link:
https://www.unpac.me/results/d5e2bffb-25fa-4690-9dc7-01fb7a895e65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5d3c1c7cd8f5545abb3c07b6a5676c1a4979acdcb14e180591a5c36f8cfcebf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe c5d3c1c7cd8f5545abb3c07b6a5676c1a4979acdcb14e180591a5c36f8cfcebf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/166305/

Comments