MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4fdf5ead09b850c4e9de74f0a4bc7816e57a6ae1f8334f3222d46b0ac9bff15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 6


Intelligence 6 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4fdf5ead09b850c4e9de74f0a4bc7816e57a6ae1f8334f3222d46b0ac9bff15
SHA3-384 hash: 43265ef10ba86192de86cd6d9cd844c5b979930bbd4f199ae94cd78d96de18ef757948ac5958f0d9f3ad9b2116930b02
SHA1 hash: 2b3b25c428fb1bd08e4410d692be9a6b1f2143fa
MD5 hash: 2d761de5722859df540fa809849d1318
humanhash: shade-london-jig-ceiling
File name:OGBEYJQPLFWNSACXAJPBOA.VBS
Download: download sample
Signature NetWire
Create hunting rule
File size:782 bytes
First seen:2022-04-12 17:26:34 UTC
Last seen:2022-04-13 04:25:39 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:+v/rBV7P3i2v/r+usSqXyv/r+usOSZChG5QNkGN4GvJKJTq6E/UpTYqvAg+HSIna:QtpMS/BN3N616UpTPAPni5
Threatray 1'622 similar samples on MalwareBazaar
TLSH T18E018ED155B48DE3BC5B083518EDE15296EE0CCBDF65C751258894DA0D744E6481D3E1
Reporter pr0xylife
Tags:NetWire vbs

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.120.141.190:5022 https://threatfox.abuse.ch/ioc/518950/

Intelligence

File Origin
# of uploads :
2
# of downloads :
468
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263201/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm mshta mshta.exe
Link:
https://www.filescan.io/uploads/6255b667eab80a7a6c02557e/reports/71eeadc5-f769-42cf-b603-4dc12bf97153/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/975640
Signature
Bypasses PowerShell execution policy
Creates processes via WMI
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Windows Shell File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Uses dynamic DNS services
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 608127 Sample: OGBEYJQPLFWNSACXAJPBOA.VBS Startdate: 12/04/2022 Architecture: WINDOWS Score: 92 54 Malicious sample detected (through community Yara rule) 2->54 56 Obfuscated command line found 2->56 58 Sigma detected: Windows Shell File Write to Suspicious Folder 2->58 60 3 other signatures 2->60 8 powershell.exe 2->8         started        10 powershell.exe 14 24 2->10         started        14 powershell.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 19 cmd.exe 8->19         started        21 conhost.exe 8->21         started        44 C:\ProgramData\...\RDKVQVTOFQZYSOZCOUFFDB.vbs, ASCII 10->44 dropped 46 C:\ProgramData\...\RDKVQVTOFQZYSOZCOUFFDB.ps1, ASCII 10->46 dropped 48 C:\ProgramData\...\RDKVQVTOFQZYSOZCOUFFDB.bat, ASCII 10->48 dropped 68 Bypasses PowerShell execution policy 10->68 23 powershell.exe 33 10->23         started        25 conhost.exe 10->25         started        27 cmd.exe 14->27         started        29 conhost.exe 14->29         started        50 193.27.14.214, 49719, 49720, 80 NETOIPIT Romania 16->50 70 Creates processes via WMI 16->70 file5 signatures6 process7 process8 31 powershell.exe 19->31         started        34 wscript.exe 23->34         started        36 powershell.exe 27->36         started        signatures9 72 Writes to foreign memory regions 31->72 74 Injects a PE file into a foreign processes 31->74 38 jsc.exe 31->38         started        42 jsc.exe 36->42         started        process10 dnsIp11 52 ejwjdn.duckdns.org 37.120.141.190, 49727, 5022 M247GB Romania 38->52 62 Found evasive API chain (may stop execution after checking mutex) 38->62 64 Found stalling execution ending in API Sleep call 38->64 66 Creates processes via WMI 38->66 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4fdf5ead09b850c4e9de74f0a4bc7816e57a6ae1f8334f3222d46b0ac9bff15/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4t67l2wqtocqytu545hqus6hqfxfpjvod6btj4zcfvdlble374kq._file
Verdict:
unknown
Similar samples:
007ee67c4bec255a19ab2b6fa0f159e9d9636c74dde34f9ddbf3b45ced74cebe
NetWire
26f356831f0c6b818a25114e232966ed68586c583128850b8680abdb860862fd
NetWire
547a73effa2789bdb7c8d66e020e0ec86974de321362e97319be1e6d3fdaf8d2
NetWire
8e8caa79da5237c8973fa2490bfd316a5001e5ed3a5175c9f7d5d2f84cd009f7
NetWire
993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
NetWire
a78ceb0178abe8b1dbf87cd6c17fa2a2a10c34f4837b5f87b0e206f2a3d534a4
NetWire
b69638517ea368465f93cdea93c7daa7941a1ee21409ce471159b88a64f05bf6
NetWire
b91e521a864bd5aabc0bf30b8f983adac9a873f16a7f20a8faa3e93f13fb435f
NetWire
d4e5ea6e804aee0817c61b11e1ed009f649ff37d30bafa7056bf82d45e83f44d
NetWire
+ 1'612 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220412-v1eb5shdf5/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://193.27.14.214/B/Enc7yu.txt
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e4fdf5ead09b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4fdf5ead09b850c4e9de74f0a4bc7816e57a6ae1f8334f3222d46b0ac9bff15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_netwire_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263201/

Comments