MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3143a2e5e36fe24663503f10167be4919d67ee9095b38862df0d898ee233ec5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3143a2e5e36fe24663503f10167be4919d67ee9095b38862df0d898ee233ec5e
SHA3-384 hash: 8a6126378c1c22a1716e43234187a8cc752bd2605dcf19df1e0f0c63ed7ce430c4bab9334b6f493043550863e65521e5
SHA1 hash: 25b314216cb30201273c8cd4e5122a44cb1b0bbd
MD5 hash: ede828d675dcfb917bb8afc76995483a
humanhash: butter-alpha-fix-queen
File name:d2dc8f0981640946abfa6df7156c4e8c.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:151'552 bytes
First seen:2020-04-09 18:43:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4563c74acbd357d386b177e402b96ce4 (60 x NetWire)
ssdeep 3072:0XFgYEAsB4+Cb3iiDUCcmE90rvPkGK+dreYMRFfS:0XGYEVat3iiDUCcf+rEG5AzRFf
Threatray 246 similar samples on MalwareBazaar
TLSH 51E3F758E987A0F6FE4B1C31958BF36F4B757E00C234CE91EF580E86EA23D29111AB55
Reporter abuse_ch
Tags:exe GuLoader NetWire


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1zNqyah3gzaUtvhHpS2vdWJb3heisgWZW

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence

File information

The table below shows additional information about this malware sample such as delivery method and external references.

477b877cca51d6a1151a46c14e709eea0e09173d8b73b05923033c02cd15758e

NetWire

Executable exe 3143a2e5e36fe24663503f10167be4919d67ee9095b38862df0d898ee233ec5e

(this sample)

  
Dropped by
MD5 d2dc8f0981640946abfa6df7156c4e8c
  
Dropped by
MD5 9788fcf6f1d522c1d5c7bfc356cbe554
  
Dropped by
GuLoader
  
Dropped by
SHA256 477b877cca51d6a1151a46c14e709eea0e09173d8b73b05923033c02cd15758e
  
Dropped by
SHA256 6ededbcb2ae04702895c16ad52ba0794870e9123024c976af0118d1eb7e93926
  
URLhaus
https://urlhaus.abuse.ch/url/337871/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
DP_APIUses DP APICRYPT32.DLL::CryptUnprotectData
SHELL_APIManipulates System ShellSHELL32.DLL::ShellExecuteA
SHELL32.DLL::ShellExecuteW
SHELL32.DLL::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.DLL::GetUserNameW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.DLL::CryptAcquireContextA
ADVAPI32.DLL::CryptCreateHash
ADVAPI32.DLL::CryptGetHashParam
ADVAPI32.DLL::CryptHashData
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegCreateKeyExA
ADVAPI32.DLL::RegDeleteKeyA
ADVAPI32.DLL::RegOpenKeyExA
ADVAPI32.DLL::RegQueryValueExA
ADVAPI32.DLL::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::closesocket
WS2_32.dll::connect
WS2_32.dll::gethostbyname
WS2_32.dll::htons
WS2_32.dll::inet_ntoa
WS2_32.dll::ioctlsocket
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments