MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b671c3d24db562f33df95a58e3aa4a74c33cc07a4a609804d1d11fab98c18cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b671c3d24db562f33df95a58e3aa4a74c33cc07a4a609804d1d11fab98c18cc
SHA3-384 hash: f40441d90e426dea4d619fe114fc38c9f0eec1b92bfa512d14f5f314f187436c1ca7e65fd2a069c244015c846804a773
SHA1 hash: fb73002c9fcafcad2cf05d4a22b991e2f8c77746
MD5 hash: f107d869f3d2a6fa457eabe23022ab1e
humanhash: xray-johnny-enemy-harry
File name:Proof of Payment pdf.exe
Download: download sample
File size:935'688 bytes
First seen:2020-05-13 10:32:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:6NA3R5drXstVEBo1hKdxblHj69I7nT1RMwaTU:z5MVESA69IzTXM7Y
Threatray 255 similar samples on MalwareBazaar
TLSH CC151203BBC685B2D9731931492DAB65693CB9312F24CA9FB7C0097CD9708D1A634BB7
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: a2nlsmtp01-05.prod.iad2.secureserver.net
Sending IP: 198.71.225.49
From: Capitec Bank <No_reply@capitec.co.za>
Reply-To: No_reply@capitec.co.za
Subject: Payment Notification
Attachment: Proof of Payment pdf.cab (contains "Proof of Payment pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Autoit-7600991-0
Create hunting rule

Win.Malware.Autoit-7600992-0
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Rdn
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 10:36:37 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hntrypje3nlc6m67swsy4oveu5gdhtahustatacndui7vommddga._file
Verdict:
malicious
Similar samples:
251c55b7c7c02eec9a87eca94bb01f653317ef5d8278aeb2b511194d7057a675
38701fe4b63d1436ba2e26cc7e268327299b58bcccbf074bfb2cbbcf57ceb2ea
4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470
61f312d2472d658a6570f3e96fc4543309a304d9415e86b1c9306f2baacc9563
69f0daa863cb586a1e2b00b6335bc69f7f06615b44b2f81bb5445d6912f6a80e
9a40f0300c23e940e1e6abdab04d0d52218ac9a28b96075238de1fb9acd88b77
ad26de7b388b0d667f98b6fc939bf942f284752b6353b033b93d31556ad9b461
c21dfa284b8375b585e7d3933846c3d61337a2e0ed66cd69f1bfa81a40e4b10b
c3da3a9487da78db1490c1aee12eb806925363678188034dabc1983c27d6eac4
d35f40a630b2e4b24ec76c354e1e66d927afe339aaba45ff3c750ed52193c910
+ 245 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:netwire botnet keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-kre7pnq496/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NanoCore
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

cab dbe6d38450756c8ca82a40a7caadb9893b6ba4c01a3fdb0fccee63fd1b633581

Executable exe 3b671c3d24db562f33df95a58e3aa4a74c33cc07a4a609804d1d11fab98c18cc

(this sample)

  
Dropped by
MD5 15c69c4d6dc1f992b4a426466740af81
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dbe6d38450756c8ca82a40a7caadb9893b6ba4c01a3fdb0fccee63fd1b633581

Comments