MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9fa7ba9ae9c20373f723ae4cdfacb18053c42d38fa31dc1fb52cfffa2e9297a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9fa7ba9ae9c20373f723ae4cdfacb18053c42d38fa31dc1fb52cfffa2e9297a
SHA3-384 hash: e615868623ca223061b5acb08665dc77f7df192c5c4b2b3f37c71747a658c900baee628fb9b3cbad51c6c446975b3601
SHA1 hash: 326a3640501c786d1293a162e3b80c9472353d19
MD5 hash: 4270322408c1ccbc3f20511f12f9fefe
humanhash: shade-lemon-hamper-maine
File name:COVID-19 TIPS.exe
Download: download sample
File size:1'240'064 bytes
First seen:2020-03-18 15:01:47 UTC
Last seen:2020-03-18 16:45:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:ltb20pkaCqT5TBWgNQ7arr9ekXqitTlpb6A:WVg5tQ7aVekbTj5
TLSH 7745CF1333DD8264CB7251B3BA1673417EBBBC6606A4F55B2FC8393DAAB0161421E673
Reporter cocaman
Tags:COVID-19 exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/329512
Behaviour
Behavior Graph:
n/a
Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-19 01:54:34 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
26 of 30 (86.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zh5hxknotqqdop3shlsm36wldactyqwtr6rr3qp3klh77ixjff5a._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9fa7ba9ae9c20373f723ae4cdfacb18053c42d38fa31dc1fb52cfffa2e9297a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz cc2c9b6a03c60515e48c738fdc2f6f8bb1c3a09a8997168f01d813f48a57925a

Executable exe c9fa7ba9ae9c20373f723ae4cdfacb18053c42d38fa31dc1fb52cfffa2e9297a

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 cc2c9b6a03c60515e48c738fdc2f6f8bb1c3a09a8997168f01d813f48a57925a
  
Dropped by
SHA256 082550581569221c5dbcf441b62627c0e116d46c41855a93f453935f25265401

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments