MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e659c7f42d4e96e05821b1df99216e5887904ada083fd61c6f77b9628a7890c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e659c7f42d4e96e05821b1df99216e5887904ada083fd61c6f77b9628a7890c
SHA3-384 hash: ced7b7295b1e44c3b3115adbdcda32cf1edf1d1628805f249b6f9c9227cec5943494044a5ede4d8a22c175f930aa82b5
SHA1 hash: 91edf7a4a7f8cee8372c142f789ccab9521a7ef2
MD5 hash: 1b400e56a5e8182160026b0380cfa4ea
humanhash: network-bluebird-uniform-summer
File name:rWWytiGk.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:173'056 bytes
First seen:2020-03-14 01:05:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ff13a754a2b4f379e240e65a618defe (2 x NetWire)
ssdeep 3072:VF9waTysrCkNw4de2GP99uqKEBvo3tghtoe+5FLGhTPasqVBh:ReyCN32GPHu0o3t8cluTPtgB
Threatray 987 similar samples on MalwareBazaar
TLSH 150412789840C4F7F7FA49303B1D070C8AA57E711E5AA8B34C58B734EAEA9142D7BB45
Reporter johannes
Tags:NetWire


Avatar
viql
netwire via https://pastebin.com/raw/rWWytiGk

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.Generic.mg.05ec651cf2e1d6ff.18825.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Coolvidoor
Create hunting rule
Status:
Malicious
First seen:
2020-03-14 06:39:00 UTC
AV detection:
30 of 31 (96.77%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
069c2e6f7dbaf794feb28bc32d90db33d030b6169c3a21133f5ad5cadf081c1b
NetWire
276ff250495d6b475c84a26dce4faa535f976780fdfc69cc0dc831dba3451a5c
NetWire
389875d4c35ff8da276f122cb6b4ebd1b1d65ce5da5c05defefaf40c2609dbaf
NetWire
4f8130693067523c153d09b000e48e744ca3b86388221a840349746ea6e561df
NetWire
7a445143a652f58fa4abc4957269aea8f884f71e7f4654b56385491eb544b0a5
NetWire
7e6dc9928e049d75cd726d8542b39cf46afef0cfd37c8dcb968ea618aedbb696
NetWire
8ea8ef6c916a4559dde761c0373d4cd662af71e00140b6be6ddf38e3c2e38b76
NetWire
ad5d194018074784d3a8ac9aa334d5b0b4c8ec9fe721ba7870ef054e29d4529d
NetWire
bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3
NetWire
fee0b02e4e0358d8025fa74d2780dd557c2de871e03a82b3dd7aadaf451ea1a3
NetWire
+ 977 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e659c7f42d4e96e05821b1df99216e5887904ada083fd61c6f77b9628a7890c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://pastebin.com/raw/rWWytiGk

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaAVICAP32.DLL::capCreateCaptureWindowA
winmm.dll::sndPlaySoundA
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments