MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49551fe3b312425f0a4f946b3a6eb9044bc7b2b7b1665288153295677384509e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49551fe3b312425f0a4f946b3a6eb9044bc7b2b7b1665288153295677384509e
SHA3-384 hash: 68989eadcf532922aa36777772fb2d065aa6fe5687b01c58f75a09238038a1cc651c0d5d95b4a2791e83f13a18bf8bb0
SHA1 hash: 1ab21a1c3b7f5d88433f74700f00088de0dc0f6d
MD5 hash: dc94775bedb105ddf0c39bb4cf2d5340
humanhash: helium-georgia-mars-vermont
File name:91HN20DCI100053,54,80.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:958'264 bytes
First seen:2020-10-26 14:01:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 911ad15eafc60c6c5da31e0ed83b95b8 (7 x ModiLoader, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:DVCTeZF541To2ztd5/IEAHqDPD3PDQnA/g07SVllvweV+8YZqckawUNlY7RzjTOW:DVCCa1Rzt0EAHqf36EFAzlujYYue8
Threatray 420 similar samples on MalwareBazaar
TLSH 50159E2176918836D1731B7A9D5FA7789E25FE002E2066473BFC688C4F76790387A2D3
Reporter abuse_ch
Tags:exe NetWire


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.eww-group.com
Sending IP: 111.90.146.99
From: Purchasing Department <purchase.samples@libgroup.co.th>
Reply-To: karensdwind@null.net
Subject: PO. 91HN20DCI100053,54,80 Order Nike Season SU21 MID NOV BUY.
Attachment: 91HN20DCI100053,54,80.zip (contains "91HN20DCI100053,54,80.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79095/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/511846
Signature
Contains functionality to steal Chrome passwords or cookies
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49551fe3b312425f0a4f946b3a6eb9044bc7b2b7b1665288153295677384509e/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 05:36:52 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfkr7y5tcjbf6cspsrvtu3vzarf4pmvxwftffcavgkkwo44ekcpa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47
NetWire
23fd501c884e2f46d38af81b0d6e423ea0bff8c5eee615227806faf7b2833827
NetWire
42808813b67b34a144d03a26fb5a9cf6cd59e185e58d73750585654c09242e5b
NetWire
5336d0fb346782de19c1a549e7ced6ca5c73fbcf897ac78d645219ec2033bdb5
NetWire
8546c35ea3d72e58b06dbcdb3d790fe9d39772ec986a2b89c406daab67efe79b
NetWire
85c2475f5bb564338727b25d030019e2ec0f08a9892df26024e45339ef3c0792
NetWire
8e3dd0c0c4913e5eb7de42a42bea5c3ff396542ee47737ed9eeb3b5439e95c6b
NetWire
b5ee8f5810eb5518c8481f845d0bbbdb3e7e1709baeafc3ef7479affd314e91f
NetWire
dc8b1aa91228f69edb8b71fafd9231f6d6d55d50ea17e3a845a3014e419cdb60
NetWire
e6c265d43fd926038d77f0caf1773f93c5d684fb2fce4af1f4474982eb494762
NetWire
+ 410 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader botnet stealer family:netwire
Link:
https://tria.ge/reports/201026-wwntc36ck6/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip e3b6572d8673ae805fb928f98ec9b641370847593132d9d34227f8ddd16d96ad

NetWire

Executable exe 49551fe3b312425f0a4f946b3a6eb9044bc7b2b7b1665288153295677384509e

(this sample)

  
Dropped by
MD5 81676f5d226c8d7e27eb7b2385285f97
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e3b6572d8673ae805fb928f98ec9b641370847593132d9d34227f8ddd16d96ad
Cape
Cape
https://www.capesandbox.com/analysis/79095/

Comments