MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e5d08e10497cdd14499b4ae823f7d639a738d37784882db758e70fa3804e4e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e5d08e10497cdd14499b4ae823f7d639a738d37784882db758e70fa3804e4e9
SHA3-384 hash: 16d136c4ba4f50815ad05957f26d25fa9f55ba66841ecdca6f32e57796b62680f0c62d9cf47fe235fa370462e6315866
SHA1 hash: 5d81985f7d9eaf1e33fc05e6081bb1e2a7a898ba
MD5 hash: dc3d6c63fb4a7db9ce48ea48281c2fad
humanhash: beryllium-indigo-edward-equal
File name:dc3d6c63fb4a7db9ce48ea48281c2fad.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'259'520 bytes
First seen:2020-06-15 14:07:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 134a427d8e11e30f2e4389847cf6bf3c (3 x FormBook, 2 x NetWire, 1 x RemcosRAT)
ssdeep 24576:kBlDgE7EmXWAqSvg439vGSVNe1/hqIiHeDd7:k7DlC+GSjiBi+x
Threatray 336 similar samples on MalwareBazaar
TLSH B6456C32B2A1C433D5631A7CDC5B92FC9826BE10A92859877BF53D4CBF39741342A1A7
Reporter abuse_ch
Tags:exe NetWire RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10502/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

SecuriteInfo.com.Backdoor.Win32.Bifrose.1593.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.CryptInjector
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 12:28:18 UTC
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fzoqryies7g5crezwsxiep35monhhdjxpbeifw3vrzypuoae4tuq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d
NetWire
151f57078e89aa2f81fcb307bf88fe23e9f2437a4df1e37def5d0b78797e12f8
NetWire
4c0201a24bb5ce9ed7b2a24dc35cbfe03ecb8546a14f549811e7d4a1b314f32f
NetWire
7c7a7c3e89daeb57bcd8fe5a895461161efafa3a5b2f111e0e23aff6b3f9535a
NetWire
862b45e2c98a175f625797db1d3342e0d9dc35b79e3386deb42c06b1918867d9
NetWire
8aa7a5eb1247b0d54b2bd29dd6b2d563ca30da4990c8220f61da826fe5941452
NetWire
bcb474ac919440674135c673d8c6a0fc8015a63a15b2849c3346f74a716b5249
NetWire
e04977f7d1fbf8b3a69237bbd2170af6c3046a8ce29e2732cd7c72f079f0e0f8
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
f53faac8d340d58a2e4916652372ccc1ec9be6a34da5332ee31072ed9c75c37a
NetWire
+ 326 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/201109-fqeb43ys4a/
Behaviour
Suspicious use of WriteProcessMemory
ModiLoader First Stage
ModiLoader, DBatLoader
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 2e5d08e10497cdd14499b4ae823f7d639a738d37784882db758e70fa3804e4e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/390095/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/390100/
Cape
Cape
https://www.capesandbox.com/analysis/10502/

Comments