MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 040a69fe6d68904cbb33cffa3930c2a9d2d4a16377c730e8db78386034e1bfd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	040a69fe6d68904cbb33cffa3930c2a9d2d4a16377c730e8db78386034e1bfd3
SHA3-384 hash:	18877ba66d1a8b2d431bae14697aed3c9d509b26a57f5fc0719c0073e8a514d4811e9970f0e62965ea87cd485e401a1d
SHA1 hash:	eec48e468c1b95426923c030235a6986ff8a9b08
MD5 hash:	7fe1be366dcec24af3d895a5cf6444a6
humanhash:	equal-three-paris-fanta
File name:	Purchase order.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	791'040 bytes
First seen:	2020-06-09 05:14:45 UTC
Last seen:	2020-06-09 06:08:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	73d9b3ff10ed798a32352fd00e581c0f (2 x ModiLoader, 1 x AveMariaRAT, 1 x NetWire)
ssdeep	12288:/34SK+eKtmz7nIdq32wx6B4Xil/C+QU7K3wFXJQtF2z:gSfeT7IdqTx5XADQUlTQ2
Threatray	271 similar samples on MalwareBazaar
TLSH	22F49E33F3E05433C8371A388C2B56B5E569BE106E24AC9B7BF5CE0C4E352957929297
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

Malspam distributing NetWire:

HELO: shbc10.ultina.jp
Sending IP: 218.40.207.10
From: sales05 <contact@hesp.com>
Reply-To: karensdwind@null.net
Subject: PRICE REQUEST FOR ORDER
Attachment: Purchase order.rar (contains "Purchase order.exe")

NetWire RAT payload URL:
https://cdn.discordapp.com/attachments/719603727690104866/719611633692966971/Jkaqcds

NetWire RAT C2:
rgussy.ddns.net:3871 (213.5.64.11)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-06-08 23:24:56 UTC

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aqfgt7tnnciezoztz75dsmgcvhjnjildo7dtb2g3pa4ganhbx7jq._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader

Link:

https://tria.ge/reports/201109-tc676nrggn/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar a84dc7322fd4d1e0ab76c5936d3cfa6b5bcb24928402b6fa5f8e69618f405a7d

NetWire

exe 040a69fe6d68904cbb33cffa3930c2a9d2d4a16377c730e8db78386034e1bfd3

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/384266/

Dropped by

MD5 6697ae3aab09cb9c3a07b5c1f400a679

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 a84dc7322fd4d1e0ab76c5936d3cfa6b5bcb24928402b6fa5f8e69618f405a7d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample