MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13e668992868756df857fe968a7de8f492511b410a076e551e862ce0abf5489f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13e668992868756df857fe968a7de8f492511b410a076e551e862ce0abf5489f
SHA3-384 hash: 191f142476e58d1891991bce70d40ab3130769950404e02fc869e0bf60980701c55a115d910720b6354e6ac5ca9d58ff
SHA1 hash: e5fe946fe1f05bd9b927249565a7c8a47bf3a2a5
MD5 hash: 56efb9d16729dca7ee3cd0e6b36bc760
humanhash: helium-connecticut-pip-texas
File name:2018 1040with w2.xls
Download: download sample
Signature NetWire
Create hunting rule
File size:728'064 bytes
First seen:2020-05-08 08:08:38 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 12288:bSb184Qjo3+M++OhnsmPjpMoflTT9eiZ76wjx+OCIvLbizboj:bSvOM+jTryihDetWz/
Threatray 973 similar samples on MalwareBazaar
TLSH D8F41292FAC1AE07C4D203784B6382E1357AFC200F6BCD9B66C5F6157B7D79429AD10A
Reporter abuse_ch
Tags:GuLoader NetWire RAT xls


Avatar
abuse_ch
Malspam distributing GuLoader:

HELO: raq.wingnets.ne.jp
Sending IP: 210.230.216.239
From: LAWRENCE L LAM <arrrc@scoutnet.or.jp>
Reply-To: LAWRENCE L LAM <LAWRENCELAM@SSCOMSTORE.COM>
Subject: Tax Preparer Needed! 5/7/2020
Attachment: 2018 1040with_w2.zip (contains "2018 1040with w2.xls")

Excel (xls) -> GuLoader -> NetWire RAT

GuLoader payload URL:
http://securewedreesdsa3.ru/Underernringen.exe

NetWire payload URL:
http://stubbackup.ru/r4_FYUuBS170.bin

NetWire RAT C2:
79.124.8.7:1986

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Document-Word.Trojan.Encdoc
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 05:02:59 UTC
AV detection:
10 of 31 (32.26%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cptgrgjinb2w36cx72liu7pi6sjfcg2bbidw4vi6qywobk7vjcpq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0ec3c68f6fa845bcc40ea35365aa204f7e8bdf8010ea20dec2e3ea3f46838e02
NetWire
1d117728ec260d80f6c6a347c4c32c965c69ff10bd4f08444fc70e82eebb1094
NetWire
3d759e1a22e9409de973cc5040093aff85d02303712fe10283b7baff63de9f73
NetWire
3e5bbf9fcae918011ec4eee75ac6402fddf20d09fef95b362d0e226d56b80f1d
NetWire
4115f7f18a5b142e38238daa8e858810ca283bdaee3aebf3d4c18bf67ddd27af
NetWire
70e8b249ce476ea3ff1c233de9eef9b9f1e2ad1da22c1bb3e16acc20eaa0e9a2
NetWire
79a11cb21ee047550839c1bb8e4bd7d40c98b7fc8eb1faf5f71c06d8acadcdb5
NetWire
a0c5ec02160570545c6eb2b81cbff1db49cbce0d90ba6e567b42e1a3e3a7076c
NetWire
a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff
NetWire
cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8
NetWire
+ 963 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-5gbpdd3wke/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://lolwannasellmywife.ru/dadadad.txt
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_alina_pos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_gootkit_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip e5c572c11d8de24eab62bf998ff173d0dafb468ee5120ad6acee28040d247790

NetWire

Excel file xls 13e668992868756df857fe968a7de8f492511b410a076e551e862ce0abf5489f

(this sample)

NetWire

Executable exe 79a11cb21ee047550839c1bb8e4bd7d40c98b7fc8eb1faf5f71c06d8acadcdb5

  
Dropped by
MD5 7d386cdcd66ece04d2e0e69de5209078
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 79a11cb21ee047550839c1bb8e4bd7d40c98b7fc8eb1faf5f71c06d8acadcdb5
  
Dropping
MD5 dafcece5e0ae55b75fc55d8380f50282
  
Dropped by
SHA256 e5c572c11d8de24eab62bf998ff173d0dafb468ee5120ad6acee28040d247790

Comments