MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b5914f4e05c132523ea6d767fdbcfc17006055f1da5a2f4e6d2cb345adc8e51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b5914f4e05c132523ea6d767fdbcfc17006055f1da5a2f4e6d2cb345adc8e51
SHA3-384 hash: 13b5ce45546e659553cebc701470c93f2bf5877e5800f76fc5dd6806addf7eb7d1776601de4ad609af9e90b908352662
SHA1 hash: 2994664cc51e9e95b992e25b8481e11f113f2aad
MD5 hash: 53e93b27bf99c110b603bb56ee5859c5
humanhash: east-leopard-seven-montana
File name:RFQ_76456765.rar
Download: download sample
Signature NetWire
Create hunting rule
File size:281'769 bytes
First seen:2020-08-03 12:48:37 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 6144:jVvQnXQNDkZoIAuHU0jbPfuXyOnMfbo7FlTojn:R1oAuHUSPfuXxpZlUjn
TLSH 8E5423878AF098FFF795B63B35DFE85D762007266281852830D068B67C455C7B23B5B2
Reporter abuse_ch
Tags:NetWire nVpn rar RAT


Avatar
abuse_ch
Malspam distributing NetWire:

From: doris.sun <doris.sun@dl-hb.net>
Subject: RFQ_76456765
Attachment: RFQ_76456765.rar (contains "76456765.exe")

NetWire RAT C2:
okamoto.hopto.org:3871 (194.5.97.15)

Pointing to nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@kgb-vpn.org'

inetnum: 194.5.97.0 - 194.5.97.255
netname: NET-NINAZU
remarks: ------------------------------------------
remarks: * This network is used for a VPN service.
remarks: * No logs are stored in any shape or form.
remarks: ------------------------------------------
country: EU
admin-c: NVS100-RIPE
tech-c: NVS100-RIPE
org: ORG-NVS2-RIPE
mnt-by: NINAZU-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-02T13:13:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b5914f4e05c132523ea6d767fdbcfc17006055f1da5a2f4e6d2cb345adc8e51/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 12:50:07 UTC
AV detection:
9 of 48 (18.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bnmrj5halqjski7knv3h7w6pyfyambk7dws2f5hg2lftiww4rziq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0b5914f4e05c132523ea6d767fdbcfc17006055f1da5a2f4e6d2cb345adc8e51

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar 0b5914f4e05c132523ea6d767fdbcfc17006055f1da5a2f4e6d2cb345adc8e51

(this sample)

NetWire

Executable exe 21cef6da04f726523131dbde12855b6d1d6d65cc9b0075d05b90b7636b56c8da

  
Dropping
MD5 25ede3b274752bd243cd1bd128981457
  
Dropping
NetWire
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 21cef6da04f726523131dbde12855b6d1d6d65cc9b0075d05b90b7636b56c8da

Comments