MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79a11cb21ee047550839c1bb8e4bd7d40c98b7fc8eb1faf5f71c06d8acadcdb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79a11cb21ee047550839c1bb8e4bd7d40c98b7fc8eb1faf5f71c06d8acadcdb5
SHA3-384 hash: d5304e216de702aa0218fb0066ec1917d5e04127ff7daa2c0bc201050c284cbf33a09ac234976bbf479019cd7fb3a6aa
SHA1 hash: e40e1699f9e45ac28ad373bd1b31a133e666aa28
MD5 hash: dafcece5e0ae55b75fc55d8380f50282
humanhash: nevada-mississippi-violet-four
File name:Underernringen.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:69'632 bytes
First seen:2020-05-08 08:09:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 82d87a03c35c388258a4e2eb50b62a39 (1 x NetWire)
ssdeep 768:V1t77g9AgV5g8Xbs7467/S3N8AjXc/ZYd7QcB3vqiy:dk9VA7HSzjcZYNQcRi
Threatray 869 similar samples on MalwareBazaar
TLSH 8763393673D8E133DC944BF23A6E97E021E36CB845094D0F398E3B5E5539A86A06971F
Reporter abuse_ch
Tags:encrpyted GuLoader NetWire RAT


Avatar
abuse_ch
Excel (xls) -> GuLoader -> NetWire RAT

GuLoader payload URL:
http://securewedreesdsa3.ru/Underernringen.exe

NetWire payload URL:
http://stubbackup.ru/r4_FYUuBS170.bin

NetWire RAT C2:
79.124.8.7:1986

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Netwiredrc-7747700-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Netwiredrc
Create hunting rule
Status:
Malicious
First seen:
2020-05-02 07:46:00 UTC
AV detection:
27 of 30 (90.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgqrzmq64bdvkcbzyg5y4s6x2qgjrn74r2y7v5pxdqdnrlfnzw2q._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
13e668992868756df857fe968a7de8f492511b410a076e551e862ce0abf5489f
NetWire
1ca43e5c33edbf126b18cd7603f5674dc45c9aa2d34efa41796a8f0f9a08b947
NetWire
859cc79621eca1e9b1bc85a569d0ddfcdf83440090e8e4ed7aa8054e2c9c460a
NetWire
9be235495bd4696901a7e0538b3d96f6996268c67c1b607cdc8e33a794a6a9da
NetWire
a570592bf5a21c1f55712fcec60a0536fedabe28b409d9a48fdc499185e154ff
NetWire
bb19d9c9c18233bf65768ed3534766ae87ada589f6223d015c47d5e4c2523d64
NetWire
cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8
NetWire
da40229062dc045460d3adcd70e42d15378ec4a83fd93738b30a59f5fab8da10
NetWire
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
NetWire
e8f205cb55b6e064b6252572493b15776b339d9118f182d220731077629e8bbf
NetWire
+ 859 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-nnf8tyhrnn/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent state file
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip e5c572c11d8de24eab62bf998ff173d0dafb468ee5120ad6acee28040d247790

NetWire

Excel file xls 13e668992868756df857fe968a7de8f492511b410a076e551e862ce0abf5489f

NetWire

Executable exe 79a11cb21ee047550839c1bb8e4bd7d40c98b7fc8eb1faf5f71c06d8acadcdb5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/359852/
  
URLhaus
https://urlhaus.abuse.ch/url/359853/
  
Dropped by
SHA256 13e668992868756df857fe968a7de8f492511b410a076e551e862ce0abf5489f
  
Dropped by
MD5 56efb9d16729dca7ee3cd0e6b36bc760
  
Dropping
NetWire
  
Delivery method
Distributed via web download

Comments