MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cbd9abf72988dd36f382b42d50cd46dfbecc2a763764d44eb752dcd2d026651. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cbd9abf72988dd36f382b42d50cd46dfbecc2a763764d44eb752dcd2d026651
SHA3-384 hash: 8315960b6916ef59c0e06ddbfc0da1211b023b5f3638f84f60266e0f52649b786f635d904625a21af225cb41f7f29984
SHA1 hash: 30becc58e78b6f99401ced5b81fab250fa4e6321
MD5 hash: bbfa03c0cc52c99353c81365663070ec
humanhash: december-hot-jupiter-iowa
File name:IMG-190202010.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:321'024 bytes
First seen:2020-10-19 18:11:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:JJQ0WLkZTsyKd6xyIgE1hLqVTBg/axqEmfRDu8Py/E:rQ0zZTZWCgE/qlOa0EOu8P
Threatray 274 similar samples on MalwareBazaar
TLSH DC643B3FB7D99F74E43966B1000120930825F5C16DE3FD2BBF8939A88D9285A1D8F7A5
Reporter abuse_ch
Tags:exe NetWire


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: pomaritime.com.com
Sending IP: 139.28.36.172
From: Kyriacos Mouzouris <kyriacos.mouzouris@pomaritime.com.com>
Subject: Re: Re: Payment copy
Attachment: IMG-190202010.zip (contains "IMG-190202010.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.ArtemisBBFA03C0CC52.29523.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/495847
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to steal Chrome passwords or cookies
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1cbd9abf72988dd36f382b42d50cd46dfbecc2a763764d44eb752dcd2d026651/
Threat name:
ByteCode-MSIL.Trojan.Staser
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 14:57:47 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ds6zvp3stcg5g3zyfnbnkdgunx56zqvhmn3e2rhlouw42licmziq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216
NetWire
146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa
NetWire
760c5c96174d0f5f899970f3b35da290b831f4c85221b1e274a5491fcf08b264
NetWire
76f20f51dda2d37c9e1c9ddff49fa03defa148abcfd399dfd2c0633f5609cc7d
NetWire
8c940846bd45f30de0358c90c8caef670b5e15bc9468452418d215c40ed62a20
NetWire
9de5e8e2d7733dfcf568e5b11a95d2468ef905e90169d7a4c93e1909a0372f04
NetWire
db5dc86af801e2c47013fc8aa7d23d10fee192e8a6020121ddb542a4a3555b55
NetWire
e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16
NetWire
f24e45d41404cdbd5b3e88ef39f6b047d062ade5cb3bddbe2ad40d5331e27210
NetWire
fc70d13e41ab6c3d36b72e329549c48e70767e37b06c5bbe7284896e935c6815
NetWire
+ 264 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire
Link:
https://tria.ge/reports/201019-x49d4vg2jj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
1cbd9abf72988dd36f382b42d50cd46dfbecc2a763764d44eb752dcd2d026651
MD5 hash:
bbfa03c0cc52c99353c81365663070ec
SHA1 hash:
30becc58e78b6f99401ced5b81fab250fa4e6321
Link:
https://www.unpac.me/results/1df434dd-17c4-4ce1-a496-b1ad7bda0cbe/
SH256 hash:
79f351d66141e886b835328da68ca925988e266692924431445f10319f842ac2
MD5 hash:
78956fe5833f751547d03e5538e55549
SHA1 hash:
6acac886c8c13d78781e8508368b0c274c9fc371
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/1df434dd-17c4-4ce1-a496-b1ad7bda0cbe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cbd9abf72988dd36f382b42d50cd46dfbecc2a763764d44eb752dcd2d026651

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip 7c146674f3710435f38acb03d0aab92f3badf70501f8b217752f0bb02cedd184

NetWire

Executable exe 1cbd9abf72988dd36f382b42d50cd46dfbecc2a763764d44eb752dcd2d026651

(this sample)

  
Dropped by
MD5 f917e4a4a8a0a676f9f1b45cfb484c75
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73066/
  
Dropped by
SHA256 7c146674f3710435f38acb03d0aab92f3badf70501f8b217752f0bb02cedd184

Comments