MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebe7e1de6e345ed9445e0d8a11241d13cb92a7df15fc5f05a6c5d6bbf9d3244b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	ebe7e1de6e345ed9445e0d8a11241d13cb92a7df15fc5f05a6c5d6bbf9d3244b
SHA3-384 hash:	cc506b220f3f8b1c646049b53d824f77078b6c03c5f0266e710e18bd6d7c6555d476d00c8d5de798457460f6f40d246a
SHA1 hash:	1fe5ccfdfe00da77069b598f70dde7e202216394
MD5 hash:	edd46d1152ead9a34fd844a7adbaae9d
humanhash:	video-oranges-montana-football
File name:	BL COPY.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	827'392 bytes
First seen:	2020-04-22 22:06:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5a7edd9901ff2b41392cecfe31f7cc87 (2 x AgentTesla, 1 x Loki, 1 x NetWire)
ssdeep	12288:M9Vhj5lzFXTJekDxG7jnzx9cZ8TxsjxdAAPC2I0b879NPE:8zjfFgMG7z0qqnAz2FEPE
Threatray	4'905 similar samples on MalwareBazaar
TLSH	04057DE1F39084F6C06716398C3B96A768F7B90D2D285A0D2BE17E0E7E35342246F597
Reporter	Racco42
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.GenKryptik.EIXP.13386.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-23 00:49:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5pt6dxtogrpnsrc6bwfbcja5cpfzfj67cx6f6bngyxllx6oterfq._file

Verdict:

malicious

Label(s):

netwirerc

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

exe ebe7e1de6e345ed9445e0d8a11241d13cb92a7df15fc5f05a6c5d6bbf9d3244b

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample