MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 7

Intelligence 7 IOCs 1 YARA File information Comments

SHA256 hash:	3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821
SHA3-384 hash:	381d6267d553633af7d748db5e00f8093f16b5ed3c042587544f0943d329e1112237d91267f1097349038d1e636f278d
SHA1 hash:	9ce0416256b3b41df4015c5df56122790fd93ca5
MD5 hash:	1e3d729aefe43012af8f4b8d4ae78c64
humanhash:	lake-spring-stream-carpet
File name:	3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1.dll
Download:	download sample
Signature	NetWire Create hunting rule
File size:	19'460 bytes
First seen:	2021-03-31 20:06:50 UTC
Last seen:	2021-03-31 20:43:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f91a9df836a8492fd4fd127123a75892 (1 x NetWire)
ssdeep	192:YmYL0yNLBlXwXp3TftWGAZLHd3kQZlMMAsj8qCQfQApXJLTLtcebIKeFH8grRG2p:YHLbDXwXpDlif+urfpXhhcogcipMRh
Threatray	1'055 similar samples on MalwareBazaar
TLSH	7C92BFAAF27D56C2D87080FED4034A2BF6E874A093655B5F05F45B809D77F392A32606
Reporter	abuse_ch
Tags:	dll NetWire RAT

abuse_ch

NetWire C2:
188.165.245.148:2233

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
188.165.245.148:2233	https://threatfox.abuse.ch/ioc/6330/

Intelligence

File Origin

# of uploads :

# of downloads :

380

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2020_Tax_Prep.doc

Verdict:

Malicious activity

Analysis date:

2021-03-30 14:09:52 UTC

Tags:

macros macros-on-open

Link:

https://app.any.run/tasks/7ce10980-3d21-4119-ba6b-50c2b2ad3f31

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/130081/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46000218.423.7517.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821/

Threat name:

Win64.Dropper.Demp

Status:

Malicious

First seen:

2021-03-30 17:48:00 UTC

AV detection:

15 of 29 (51.72%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hog5hpevbyyqmt274bmo2pumexyifpxr6qxbijtwbtdpr7xrjaqq._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/210331-5qg4ftcapj/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Unpacked files

SH256 hash:

3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821

MD5 hash:

1e3d729aefe43012af8f4b8d4ae78c64

SHA1 hash:

9ce0416256b3b41df4015c5df56122790fd93ca5

Link:

https://www.unpac.me/results/ee796ce3-9e59-4806-81cc-ab72ac5b5b79/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DriveBy Activity

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/130081/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample