MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2781694a42a65e0768f88ae69a66c714dbb433d4dbc63274067f74f1e993a504. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 3


Intelligence 3 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2781694a42a65e0768f88ae69a66c714dbb433d4dbc63274067f74f1e993a504
SHA3-384 hash: de9689d445645675ecae41788b7cac8345606d576424182bcb647adf954840b56e844b8d7e4ba837926311abdfe71513
SHA1 hash: ff2b1c98e760d3828ec8c46c6b40f545a1ecd3c4
MD5 hash: fcb13e2b5e6782414fb75020bdfbe630
humanhash: east-stairway-stairway-coffee
File name:fcb13e2b5e6782414fb75020bdfbe630.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:61'440 bytes
First seen:2020-05-31 07:25:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 26ddb7586681e580a865202a729e1063 (1 x NetWire)
ssdeep 768:DXuGmEUG//mW3ZZls2giEGMgJw6xwvKf4CvV0mAELG:D+Y31spgJJxwFCt06
Threatray 747 similar samples on MalwareBazaar
TLSH 38533A2BBE885022E7254AB15685E5B1F736BC125502AF4B714C6F1AEC31AC3BDF231D
Reporter abuse_ch
Tags:exe NetWire RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2020-05-30 19:18:14 UTC
AV detection:
18 of 31 (58.06%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
033afefa4c3ffe5fadd50c033ef0232605929c32e99bb96493588e01c0e211ee
NetWire
10481c8ab9d363251e4d1aab4805df6d245621a5f10302fe5ed8cdd9f20bdc14
NetWire
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
NetWire
2c80f61e5c61bb87be9e2d60e69093bcb5082fc690fcd751be787dbd118d5e57
NetWire
3e3529db8cde73fcdb792f6414ebe6fb9a6ec5ba5cf5f503376a795387b2020e
NetWire
7d110a4f6f206b5fb49742150bdbd7ffc43b29a5b2fa32424ef32aa20c4696f8
NetWire
837fe7fbfe7bcef79db54bc8cce2bae23f98e7e31d57d1471822892f4aa23df8
NetWire
8c3d7cd117d98d92e834d53374635acaf20a51a32888642eb621f5225bd9e29f
NetWire
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
NetWire
c5ef77c9b5293774ac7a58fba97cce6a84d3948af08b014a08c155e978c09eef
NetWire
+ 737 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-2vl8f11bpa/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 2781694a42a65e0768f88ae69a66c714dbb433d4dbc63274067f74f1e993a504

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
Delivery method
Distributed via web download

Comments