MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 587e944c881d0e37982142ea1e15476b7bdcd6cdb7540a7b15899a5b196902d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 587e944c881d0e37982142ea1e15476b7bdcd6cdb7540a7b15899a5b196902d0
SHA3-384 hash: cb9d3c9cd8af89144c57d3d06f61fdf824d9fee5a24d15803d1a87d205c7c26fd64f2321bf4ff28b3ee664e73093cc58
SHA1 hash: 1dac89113c956de3a114f5a24acc770bae6b9870
MD5 hash: ec6c2a183acce1f6afa85494198142ea
humanhash: gee-early-cup-zulu
File name:587e944c881d0e37982142ea1e15476b7bdcd6cdb7540a7b15899a5b196902d0
Download: download sample
Signature NetWire
Create hunting rule
File size:207'872 bytes
First seen:2020-11-14 18:20:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5cd85a0ecbf67c5aa9a8d7a3402343d5 (6 x NetWire)
ssdeep 3072:GR2RNV6MpyJlxfXIljBT0ZFHD/8RXpEtgwW6fj6b0FGQM/kPcqR9u:GRYvpyvN7HD/Mjwz76QFG1/kPP
Threatray 795 similar samples on MalwareBazaar
TLSH CF14BF78C4027ACBE5F9187A828E11C5E1E4DED5DADF3D9330A82E7A937C0B8B1C5516
Reporter seifreed
Tags:NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/535436
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/587e944c881d0e37982142ea1e15476b7bdcd6cdb7540a7b15899a5b196902d0/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:22:01 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lb7jiteiduhdpgbbilvb4fkhnn55zvwnw5kau6yvrgnfwgljalia._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0c017b57d7f1cbfa01f54deb15b7f04b8923acd4585435050589b1762856247e
NetWire
18e249edf52744fa58fd5b3f0f9c205ced077ac05bc7d9bb7e17a32edcb60a5c
NetWire
249e738650027df7635aa70373e2e2f936eb58e1a208fdc8df9ee2f66e4cb9e3
NetWire
6da998a52419846d81837d9a88d0b1e02f1816adf89ff6e91bb5de5c57abcc9a
NetWire
a0c1f8d3a65e0236068e42f67bccadf3af1f9e97b9d1ae1a4f4f6c98e9fd87af
NetWire
a8327d7e2395ea7fb71062275b3a7f24ce586d7ccd0301ed2a1df1699e2d9b9b
NetWire
b19739ad003d5bbd5f2fcc99f0d19d22cb389ae78ca81f31472cff469e53cf2c
NetWire
cfad7f3408fcc08ca91d0e0fe624088c1c2fda17b460e17812c0362061124b18
NetWire
d488a34718cf2db560dd4c62ccb5fac527cc192716c2d166a71f98abd384aba6
NetWire
e74e35935d5ca8f98991689ed3524544e478a923a9212c87ec6c7c1bae67ec7c
NetWire
+ 785 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201114-qyqfdp288a/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
587e944c881d0e37982142ea1e15476b7bdcd6cdb7540a7b15899a5b196902d0
MD5 hash:
ec6c2a183acce1f6afa85494198142ea
SHA1 hash:
1dac89113c956de3a114f5a24acc770bae6b9870
Link:
https://www.unpac.me/results/1b7f3e70-2b0f-43ac-9c38-b9c843ee3019/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tofsee
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/587e944c881d0e37982142ea1e15476b7bdcd6cdb7540a7b15899a5b196902d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments