MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
SHA3-384 hash: d0ac4599cec518961cf58ce144de9655b77bc0a66b04103752760160e0a4b00c1c6308acf7e75a44615f6dcb01edfbc8
SHA1 hash: 313a12b860281062c2842359e0d90c79695c5fa7
MD5 hash: 3e6a8a40fd2a124f8c9a3bc25bcebe94
humanhash: shade-mountain-bacon-rugby
File name:Absa.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:653'312 bytes
First seen:2020-06-26 07:17:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4efaaf21b12695f01a3026d85b9437a9 (5 x AgentTesla, 5 x Loki, 2 x FormBook)
ssdeep 12288:hEWYuBQgNo1MTuOxYL1ITsHwDUyt3E4ZRB/rd5Ej1UPH:itIouYueWd3E47B/rbEj1UP
Threatray 476 similar samples on MalwareBazaar
TLSH 29D4AE21F2A04833C052167D9D3BD6785A2ABDF13D585A462BF4F90CAF35F8139262B7
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: host19.axxesslocal.co.za
Sending IP: 197.242.145.93
From: Absa <ibreply@absa.co.za>
Reply-To: noreply@absa.co.za
Subject: Proof of Payment
Attachment: Absa.cab (contains "Absa.exe")

NetWire RAT C2:
154.16.93.182:3361

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14687/
Detection(s):
SecuriteInfo.com.Win32.Injector.EMHU.4343.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-06-26 07:19:05 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gq2lwob4rxlscjtpmdqhqichiic5odc5vhv3iziqtlhhrfcwoq3q._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1254f2a5cf88750e22a29c78e1e316cd034d3763302bfafaea0ceac3fec49e1e
NetWire
1c1035301c27d73a161ca96f9732f5024eb924798ce95d76d274b751ff87aa2f
NetWire
3f7579a12e92960bfe46af7ea9bc9ac716c374b214e1f03c5f9fb504708ea63f
NetWire
40d8ba1b4ae578829ce958a356395307e27eda0512bc78021ccb93e4b26134f7
NetWire
56cdf2f0adffcc195d95801f4f61da727edf5e6fe6bbbf0ac71462f733df9de9
NetWire
797a9a105652922546340d44d623196f8f5d22410011156a710bdf4f239a3d40
NetWire
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
NetWire
a9a8374950d68997b782dca8ae2464aa81709c2f51bcc8fdb1abdcfb5b40c521
NetWire
b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa
NetWire
f52c73e9a148074ad2d20b27874e0c183a461f0e21ed09874ef706e464757e2e
NetWire
+ 466 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire
Link:
https://tria.ge/reports/200626-24bez8p3ks/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Drops startup file
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

cab 06e6812b532aa2534c5e148ca2d680f65eaa9ab6a3ac495ab7f69bb74c2f6aec

NetWire

Executable exe 3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437

(this sample)

  
Dropped by
MD5 36fbd9d44ef3f474f3eceaacf1658f96
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14687/
  
Dropped by
SHA256 06e6812b532aa2534c5e148ca2d680f65eaa9ab6a3ac495ab7f69bb74c2f6aec

Comments