MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f0322c44c393d5c125628af2cbc849cfd3f801ef9d4d20a9b740c04b1790967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f0322c44c393d5c125628af2cbc849cfd3f801ef9d4d20a9b740c04b1790967
SHA3-384 hash: 732da152c26b80d87b45954f04fbed4dc75f0c36e96c36ffedfa3724948608b285865bc51b5309792f0e3767871b873a
SHA1 hash: 728cdacca9480146aa65fc52aec05e52a6e40026
MD5 hash: a000d6788f1b59eb933ef1867cab517a
humanhash: zebra-football-oven-failed
File name:Vergi faturasi,pdf.com
Download: download sample
Signature NetWire
Create hunting rule
File size:877'880 bytes
First seen:2020-07-07 09:42:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f2de36faf921ad0c138b3f99bf41cbc (2 x FormBook, 2 x NetWire, 1 x AveMariaRAT)
ssdeep 12288:nQLZFPe/Dl8tHMQza6myt7UM677rhsUUnV7n/VrBIPZ4HKwbYzBSbV:nMPdtHVpHUTePVFIPZkgKV
Threatray 264 similar samples on MalwareBazaar
TLSH 3A158C52F2524D3BD0624A7C9D2B02E95E21BE10291CD8935FF8AF5C9FF97807627263
Reporter abuse_ch
Tags:com geo Halkbank NetWire nVpn RAT TUR


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: titan.fibersunucu.com.tr
Sending IP: 188.132.179.148
From: Satin Alma<ekstre@halkbank.com.tr>
Subject: Vergi faturasi
Attachment: Vergi faturasi,pdf.001 (contains "Vergi faturasi,pdf.com")

NetWire RAT C2:
sure.tjsosda.com:2989 (185.140.53.6)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@FOS-VPN.org'

inetnum: 185.140.53.0 - 185.140.53.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.140.53.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-04-06T18:59:49Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22166/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f0322c44c393d5c125628af2cbc849cfd3f801ef9d4d20a9b740c04b1790967/
Threat name:
Win32.Trojan.RemcosCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 09:43:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4bsfrcmhe6vyeswfcxszpeett6t7aa67hknecu3oqgajmlzbftq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
06835e2c284ded66ca44497caf918d1ce6f216e68af866e85ac6fb79332b75f7
NetWire
4fc5c83ab8d45e9b46bc1ab2a20e653d868e57f357b7f5b4ba433706594bc2ca
NetWire
54e95ef949e6f817b50144b1f8ae37a609d5ab3bc07567699a642a339566d555
NetWire
5f8cd119c7cc31eef0e66451fb05d5179c60850b2330ebcb76066dd289172a17
NetWire
a521bd7e14bd3f373c03a13487b5ec4156c9b59bcf7751db5b6fded58d4825d3
NetWire
aae45a77eeaca2d69630e035293e25a47f81d5b7612bace059d1678154485b85
NetWire
d38d364257aae9a96f861fc772480694e039d01e3f7897f347341d78d74444ca
NetWire
dfc8f0a7456a2b40908d901c2468d372bd859abda04e50ef4cf45ec84668cdcb
NetWire
ece26faace5bcf7afeba359279d17aeb7f99f739fce454e964c88ebad9745bdb
NetWire
f5041ea07d530c171a670d71769deb2185c8620462b4e26c59a923784f3bd17a
NetWire
+ 254 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200707-gmxznh6s32/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry key
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar e7bb18522742f5f9e735a139918df6bca0c0acfbb32f9ad7515be7d0158166f7

NetWire

Executable exe 0f0322c44c393d5c125628af2cbc849cfd3f801ef9d4d20a9b740c04b1790967

(this sample)

  
Dropped by
MD5 fec5d2e088957f463b1dbfcf27d1fb62
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22166/
  
Dropped by
SHA256 e7bb18522742f5f9e735a139918df6bca0c0acfbb32f9ad7515be7d0158166f7

Comments