MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0627a5e4530d6e95e2b9b87c227d6988fc7c46efd40587d0361d1b313c215c39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0627a5e4530d6e95e2b9b87c227d6988fc7c46efd40587d0361d1b313c215c39
SHA3-384 hash: f60b7fa08ad956dade4bed93aa2503af31b8f9ac746d99f4cdec9d178f4d48dd80e73a50e41df411bc6943c6465800aa
SHA1 hash: eff2317f7f046b78c5e7e41367b5fb1ae25bbc00
MD5 hash: f60c2d3ec2818b398e653677dcc8b8c5
humanhash: sierra-carolina-pip-lima
File name:8e2cc8e6df55cdea2e24cbf6c6a7fec8.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:151'552 bytes
First seen:2020-04-02 18:55:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4563c74acbd357d386b177e402b96ce4 (60 x NetWire)
ssdeep 3072:2XFgYEAsB4+Cb3iiDUCcmE90rvPkGK+dr9YMIFfS:2XGYEVat3iiDUCcf+rEG5LzIFf
Threatray 246 similar samples on MalwareBazaar
TLSH 0CE3F758F987A0F6FE4B1C31A58BF36F4B757E00C234CE91EF580E86EA23D25111AA55
Reporter abuse_ch
Tags:exe GuLoader NetWire


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
http://thomsonreuters.host/FQ/EHH_encrypted_18BA8C0.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence

File information

The table below shows additional information about this malware sample such as delivery method and external references.

6de06a9724a5db4184583ad0ec227eacf9a941c0ec002a9ee451149909f7245d

NetWire

Executable exe 0627a5e4530d6e95e2b9b87c227d6988fc7c46efd40587d0361d1b313c215c39

(this sample)

  
Dropped by
MD5 8e2cc8e6df55cdea2e24cbf6c6a7fec8
  
Dropped by
MD5 d0f46c0b56bf516d6884015206af1aa5
  
Dropped by
GuLoader
  
Dropped by
SHA256 6de06a9724a5db4184583ad0ec227eacf9a941c0ec002a9ee451149909f7245d
  
Dropped by
SHA256 552f5033b667f26dc1b18470ae8f60b668fcc2e5ee09107cbeaf2d0370760851
  
URLhaus
https://urlhaus.abuse.ch/url/334388/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
DP_APIUses DP APICRYPT32.DLL::CryptUnprotectData
SHELL_APIManipulates System ShellSHELL32.DLL::ShellExecuteA
SHELL32.DLL::ShellExecuteW
SHELL32.DLL::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.DLL::GetUserNameW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.DLL::CryptAcquireContextA
ADVAPI32.DLL::CryptCreateHash
ADVAPI32.DLL::CryptGetHashParam
ADVAPI32.DLL::CryptHashData
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegCreateKeyExA
ADVAPI32.DLL::RegDeleteKeyA
ADVAPI32.DLL::RegOpenKeyExA
ADVAPI32.DLL::RegQueryValueExA
ADVAPI32.DLL::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::closesocket
WS2_32.dll::connect
WS2_32.dll::gethostbyname
WS2_32.dll::htons
WS2_32.dll::inet_ntoa
WS2_32.dll::ioctlsocket
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments