MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d70d7499eec43adaa9d908f4df45fbb064a53e488f765ec5a5cb99baf1285389. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 2 Comments

SHA256 hash: d70d7499eec43adaa9d908f4df45fbb064a53e488f765ec5a5cb99baf1285389
SHA3-384 hash: 56882bc4d390d441dff094042c0668773efef8d3cae155d5ec77b9f82e8bc2d9cbce3a6b313de6c206778c2f33ee7a45
SHA1 hash: b729fbe5d5642ca5987db47352b134797852d097
MD5 hash: 2958c347433029ff3d06f2e3f32a735b
humanhash: yellow-high-stream-foxtrot
File name:PO29062020.xlsm
Download: download sample
Signature NetWire
File size:417'212 bytes
First seen:2020-06-29 19:51:02 UTC
Last seen:Never
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:Lv49w6fyunGthcu8kxP+hkugvq4j+jSGUuS:b49l7AhpxP+hknvLStS
TLSH DD94232BD298BEDFC6F3EA7D8D049AE7231253DE339478B968588888065F12DC071D55
Reporter @abuse_ch
Tags:NetWire nVpn RAT xlsm


Twitter
@abuse_ch
Malspam distributing NetWire:

HELO: semf07.mfg.siteprotect.com
Sending IP: 64.26.60.170
From: Shawn McKay <info@vancouvercharters.com>
Reply-To: prepre080@vivaldi.net
Subject: RESENDING: Quotation Needed
Attachment: PO29062020.xlsm

NetWire RAT payload URL:
http://longi.ca/wdfr.exe

NetWire RAT C2:
gold080.ooguy.com:4770 (79.134.225.84)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 31
Origin country FR FR
ClamAV No detection
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/d70d7499eec43adaa9d908f4df45fbb064a53e488f765ec5a5cb99baf1285389/
ReversingLabs :Status:Malicious
Threat name:Document-Word.Downloader.Sload
First seen:2020-06-29 19:37:21 UTC
AV detection:9 of 48 (18.75%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:netwire
Link: https://tria.ge/reports/200629-saxga8k9l2/
Tags:rat botnet stealer family:netwire
VirusTotal:No data

Yara Signatures


Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_netwire_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Excel file xlsm d70d7499eec43adaa9d908f4df45fbb064a53e488f765ec5a5cb99baf1285389

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments