MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ca80f61a8161466cf3d95834691dc42ec0a08caa62b53f78b93d98810ff6115. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ca80f61a8161466cf3d95834691dc42ec0a08caa62b53f78b93d98810ff6115
SHA3-384 hash: 88b043dfff9e15da57c21a280b15b29e762eecb3158980a3d00f47811e477c0611c1dd3a3779f1cdc2ea5697bab5d9e4
SHA1 hash: 89fb070d73c3b60b675ddda7492a238f800d8747
MD5 hash: 6998df0aeeb0a1583e6236b1ee22fb73
humanhash: apart-pasta-august-spring
File name:6998df0aeeb0a1583e6236b1ee22fb73.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:81'920 bytes
First seen:2020-06-01 13:22:28 UTC
Last seen:2020-06-03 14:35:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ff07344affacc19e934fc80ccb14b73 (1 x NetWire)
ssdeep 768:AFhc7416N8lBR2zVClAZ1gyqsoYB+aBqh+m47Geh4Vkxrva+XbWY6L7aLJR+m4o:uFO8lLz9sVvBa+PGeC8aaB6L7aNR+
Threatray 863 similar samples on MalwareBazaar
TLSH 77835B27EA18AA12E16146702C6BC7FE2F657C0C89821F8F354E6E5B7B313725C6D60D
Reporter abuse_ch
Tags:exe NetWire RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.51143.26573.20232.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Ditertag
Create hunting rule
Status:
Malicious
First seen:
2020-06-01 13:35:39 UTC
AV detection:
33 of 48 (68.75%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bsua6ynicykgntz5swbuneo4ilwaucgkuyvvh54lspmyqeh7mekq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
17f52dbf63e20cb471e6da579551830186446d814a14162ec3569c62fb6f0771
NetWire
474233cdd3d96bddb9f6733b5345cd411ed3bc141f462d77849f1294900b0aac
NetWire
586308277bf0f934777f113da1b684233d2cdfbf6b746eebc35d2f8dc8d1c585
NetWire
6535df8dcbd659939c18a93ee2b58e8ef05898e1baa30932cf3cfa876659d183
NetWire
7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a
NetWire
85e0ff2f0c03b8d8ce1d32b446dcef0e32b79fa581a9c27dcf4d0bb92c6b167f
NetWire
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
NetWire
dfe66d2e7938bed4e4452f82519a8b02d0ac89e74341a4abee8b2ec1c6a7ffb6
NetWire
e28da88ff0d294d8f4bc7cacae31814a43026ddac38a554ef697e703122e46c5
NetWire
faac07736e1c735a2b4028b9a77bcf0897944e3ce16977c61b6af1b45592d6b0
NetWire
+ 853 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-yx942prdqe/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 0ca80f61a8161466cf3d95834691dc42ec0a08caa62b53f78b93d98810ff6115

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/372429/
  
URLhaus
https://urlhaus.abuse.ch/url/371185/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/372809/

Comments