MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcfc89b5ad3b4e406664cdd8408f56fe8b0c9a9eeb50fc821f2e89a9785c9f3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 1 File information 5 Yara 2 Comments

SHA256 hash: fcfc89b5ad3b4e406664cdd8408f56fe8b0c9a9eeb50fc821f2e89a9785c9f3e
SHA3-384 hash: 8f6fad8cd18979d6ac21876ffd49b4e16acf8f10fba06616e5beac212f822435651652527e016b53050077d3d2c8708d
SHA1 hash: 5b2a314125e3ce989cacde910153349bc0fd0a8b
MD5 hash: 3e5606ac4cfc7377397427ef830512ab
humanhash: one-kentucky-fish-mountain
File name:wdfr.exe
Download: download sample
Signature NanoCore
File size:276'992 bytes
First seen:2020-06-29 19:52:34 UTC
Last seen:2020-06-29 23:57:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:YXwSkeP01ZKBjz85WgS9QLYESJc6hJIBhagXyQYCV8:L3/KBj8WgSyxSWagXyQLV8
TLSH BA440144FB88DA17CA2F0179C46AA77043A0DF6B6552E39B2C4D7E1FB5733C9260609B
Reporter @abuse_ch
Tags:exe NanoCore NetWire RAT


Twitter
@abuse_ch
Malspam distributing NetWire:

HELO: semf07.mfg.siteprotect.com
Sending IP: 64.26.60.170
From: Shawn McKay <info@vancouvercharters.com>
Reply-To: prepre080@vivaldi.net
Subject: RESENDING: Quotation Needed
Attachment: PO29062020.xlsm

NetWire RAT payload URL:
http://longi.ca/wdfr.exe

NetWire RAT C2:
gold080.ooguy.com:4770 (79.134.225.84)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence


Mail intelligence No data
# of uploads 2
# of downloads 37
Origin country CH CH
CAPE Sandbox Detection:Netwire
Link: https://www.capesandbox.com/analysis/16579/
ClamAV SecuriteInfo.com.Trojan.PackedNET.276.9088.16583.UNOFFICIAL
CERT.PL MWDB Detection:netwire
Link: https://mwdb.cert.pl/sample/fcfc89b5ad3b4e406664cdd8408f56fe8b0c9a9eeb50fc821f2e89a9785c9f3e/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Smartassembly
First seen:2020-06-29 19:54:05 UTC
AV detection:24 of 31 (77.42%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:netwire
Link: https://tria.ge/reports/200629-yx4h8zar2x/
Tags:rat botnet stealer family:netwire
VirusTotal:Virustotal results 31.94%

Yara Signatures


Rule name:win_netwire_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_netwire_g1
Author:Slavo Greminger, SWITCH-CERT

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NanoCore

Executable exe fcfc89b5ad3b4e406664cdd8408f56fe8b0c9a9eeb50fc821f2e89a9785c9f3e

(this sample)

Comments