MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e7b17a65cb05e7dbf74216528a2a314a0be42caeb784d1d475cc25fd3c36ed9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e7b17a65cb05e7dbf74216528a2a314a0be42caeb784d1d475cc25fd3c36ed9
SHA3-384 hash: 174f353ae8a943dc5092d7e44a63b19f275670816c2326fb68b4fce47d120e0442346f62ae75cc2a8a779ddc5cc2fa43
SHA1 hash: 64cfd8a8f8156eb632e8d0dd5512069ccd8d32c8
MD5 hash: 63bf8d89875ce3ad59d838b66d7d6896
humanhash: comet-potato-golf-carolina
File name:Payment_Advice.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:648'856 bytes
First seen:2021-03-22 07:46:32 UTC
Last seen:2021-03-22 10:03:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e31ae1caf7ae0b17adfe2535db2eb953 (1 x NetWire)
ssdeep 12288:yCdMfwnkESC7OEDXqxFRhWcchz9+RXyXE:yyMomREDartQwRX
Threatray 395 similar samples on MalwareBazaar
TLSH 07D45A61A2E048F6D1530A389C9B667448A67E313EB85C8653F82D0CBFBF3913D1DD96
Reporter abuse_ch
Tags:exe NetWire signed

Code Signing Certificate

Organisation:Invincea, Inc.
Issuer:DigiCert High Assurance Code Signing CA-1
Algorithm:sha1WithRSAEncryption
Valid from:2018-01-05T00:00:00Z
Valid to:2019-12-31T12:00:00Z
Serial number: 0be3f393d1ef0272aed0e2319c1b5dd0
Intelligence: 19 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b88acbbee18f369f37cef087fabc3473805bf9fa75f591070a1c1c779d35741b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail0.bjumgroup.biz
Sending IP: 68.183.228.129
From: export <export@bjumgroup.biz>
Subject: Payment Advice
Attachment: Payment_Advice.rar (contains "Payment_Advice.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
429
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment_Advice.exe
Verdict:
Malicious activity
Analysis date:
2021-03-22 07:53:28 UTC
Tags:
rat netwire trojan
Link:
https://app.any.run/tasks/4561cb53-5e94-46c9-8e52-d9431692a20c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/647458
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionality to steal Chrome passwords or cookies
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e7b17a65cb05e7dbf74216528a2a314a0be42caeb784d1d475cc25fd3c36ed9/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 07:22:21 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fz5rpjs4wbph3p3uefssrivdcsql4qwk5n4e2hkhltbf7u6dn3mq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
249e738650027df7635aa70373e2e2f936eb58e1a208fdc8df9ee2f66e4cb9e3
NetWire
2928d0d53b459f6b822fd781360a743b3548f31c31c012ba8a25b42235aff154
NetWire
2e5fa5d3014a67a660612edaddf0e5abf60d7b0f8b82336b17ab6464c4567d03
NetWire
5105c1a352e0f0e2a54b08132d9d1e383f6505a7aa42b8aea411c85551c37175
NetWire
93cce15a013050d27ba21f0b40902f61aafd78f0aeaeea55d47ec9a6abcb9595
NetWire
9de5e8e2d7733dfcf568e5b11a95d2468ef905e90169d7a4c93e1909a0372f04
NetWire
a521bd7e14bd3f373c03a13487b5ec4156c9b59bcf7751db5b6fded58d4825d3
NetWire
cef2f777b4c29a5ced187382e3c0a0ee61d4c71471fc5d100b78a4e88f4324de
NetWire
d88b21c1b67f0aee44019a8b54a72d1662ae3c2939ff593fe0d1844cf17a5c53
NetWire
dc4475e7d864b18f90b1a3b812d6f1e98d46fbb24771405c1b15c9c1cba8a10f
NetWire
+ 385 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210322-h7t6xdrabx/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
2e7b17a65cb05e7dbf74216528a2a314a0be42caeb784d1d475cc25fd3c36ed9
MD5 hash:
63bf8d89875ce3ad59d838b66d7d6896
SHA1 hash:
64cfd8a8f8156eb632e8d0dd5512069ccd8d32c8
Link:
https://www.unpac.me/results/8134d1aa-4ad2-407d-89c2-ff084d261ac0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tnega
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e7b17a65cb05e7dbf74216528a2a314a0be42caeb784d1d475cc25fd3c36ed9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar adcb7430b293be5a8d9c084c7ec7647a40a889a5703b2487ac48cf8db15891fd

NetWire

Executable exe 2e7b17a65cb05e7dbf74216528a2a314a0be42caeb784d1d475cc25fd3c36ed9

(this sample)

  
Dropped by
MD5 b02017049c9d26bf73d4724179424702
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 adcb7430b293be5a8d9c084c7ec7647a40a889a5703b2487ac48cf8db15891fd

Comments