MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d4ee02b866098cb91e5714708ea425a0d1caeb5b6eba6f2ce699065e00b5599. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d4ee02b866098cb91e5714708ea425a0d1caeb5b6eba6f2ce699065e00b5599
SHA3-384 hash: f485530a1f4f7889d2feb1bd2015a94fccf4dc4a80a82054a375d6911419deb07778e1d3992fc99d1832aef4636be9fa
SHA1 hash: 4a81b97e7fe46b656e5be220bd4fa4e66e8847b6
MD5 hash: 9a87bbc8a5b061bddb8b52c83a09c2b1
humanhash: crazy-red-alaska-lake
File name:PO-011741.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:880'640 bytes
First seen:2020-06-10 07:17:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2879dffa5316604be785ffdc4daa690c (1 x NetWire)
ssdeep 12288:jIGMhxKRAid8RJeSDnHnAplvUrsHHS40jatI2gG3cRUng0nNPtJ:jUhpiGRJ5DneMIyGtIW3ndnNF
Threatray 236 similar samples on MalwareBazaar
TLSH 5D156C26F7914C73C133293DAC5BD674D83ABE612A24A8C52BE83D784B79385352D1B3
Reporter abuse_ch
Tags:exe NetWire nVpn RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: shbc10.ultina.jp
Sending IP: 218.40.207.10
From: Sales05 <contact@hesp.com>
Reply-To: contact@hesp.com
Subject: REQUEST FOR QUOTATION
Attachment: PO-011741.rar (contains "PO-011741.exe")

NetWire RAT C2:
rgussy.ddns.net:3871 (194.5.97.23)

Pointing to nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.97.0 - 194.5.97.255
netname: Privacy_Online
remarks: ------------------------------------------------------------------------
remarks: This prefix is used by a non-logging VPN service provider.
remarks: We don't log any user activities.
remarks: We don't host anything else on our servers than VPN software (OpenVPN,
remarks: IKEv1 & 2, WireGuard ...).
remarks: Our customers can open up to 8 Ports (TCP & UDP).
remarks: We support the Tor Project: https://www.torproject.org
remarks: Before sending us potential complaints, please read:
remarks: https://www.torservers.net/abuse.html
remarks:
remarks: We are under constant pressure by Spamhaus.
remarks: Spamhaus issues tons of fake SBL listings in order to destroy our service.
remarks: They use fake identities, violate EU laws and hide outside the EU in
remarks: Andorra to avoid legal consequences.
remarks: Please don't trust this organization.
remarks: If you have any questions related to our service, please contact us
remarks: directly via e-mail: support@inter-cloud.tech
remarks:
remarks: Thank you.
remarks: ------------------------------------------------------------------------
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
country: RU
status: SUB-ALLOCATED PA
mnt-by: inter-cloud-mnt
created: 2018-07-23T09:31:45Z
last-modified: 2020-03-10T21:27:32Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 05:21:52 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvhoak4gmcmmxepfofdqr2scligrzlvvw3v2n4wongiglyalkwmq._file
Verdict:
suspicious
Similar samples:
10cf748693a03e95d4f2efab81757ec3ad3905129e84b7dc8c491d9e5fbb550e
NetWire
36abbef320573be77f282a10faa2413d38710d336ab7c61eb31a8f0ee572f6f6
NetWire
397545efcbf53bebabdb003bbe9f8b619b7ffdd5383c21ecd9e99c6de3e3cd83
NetWire
40e95520d719a9c3277c76b42124de197dc391210b1053fa505897838dcdcb90
NetWire
4a36125e8a672710a0463832718e10bbce9fc7d83daeb5245fcaa7440ca1849f
NetWire
4e61f0aec05adc008e39902fb864108bfcb5210fb500205db99135120810a587
NetWire
5e499f9a72195ce2d1d2e0ca6dffbacc880ae5bc0847ea03e65060c993e35146
NetWire
99ebd29c10ab0e9063fbec9966f1be56986d6c74630fb251baab26988aec93cd
NetWire
a35a1149597435d58703ab662e49dab5ccc96d77529ebacefcdcf9e298c27e51
NetWire
f2c4b98fdadf7b1fec173ed6493daaaf1dbb13d8d659a73d9a6b494f32a750fb
NetWire
+ 226 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader
Link:
https://tria.ge/reports/201109-dzzvtn1kfa/
Behaviour
Script User-Agent
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar 0bfdc0f6cf656f854f3f4379c0a1e3b393051b59a0fb8f284b89f014c51dda97

NetWire

Executable exe 1d4ee02b866098cb91e5714708ea425a0d1caeb5b6eba6f2ce699065e00b5599

(this sample)

  
Dropped by
MD5 23e96c46f792bdcd339df990d8a1694a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0bfdc0f6cf656f854f3f4379c0a1e3b393051b59a0fb8f284b89f014c51dda97

Comments