MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 497b04efe79c9dce8bb75a37d72702eb9b703912994c5351a6792a8c217160c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	497b04efe79c9dce8bb75a37d72702eb9b703912994c5351a6792a8c217160c9
SHA3-384 hash:	892d7ec04af5628ae00aafbb9a59b7dcb4059c007a0293400b440e8b5bf326193bb3a421d8a4fe7f084d4edb4bf5c742
SHA1 hash:	04e0cdfce4fa87ec822736d77090e7eea2fc435c
MD5 hash:	edded1e2382bd3fa5b966f3067690cc1
humanhash:	washington-fix-blossom-magnesium
File name:	order.zip
Download:	download sample
Signature	NetWire Create hunting rule
File size:	723'061 bytes
First seen:	2021-07-21 07:32:15 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:44mLOKmsbwSGUEhZN141kmc+rHpErthBUn3WIHzClHNz6MSfcvJ93ydhtTzlAX+2:fYOKmeGHhD137BhBUnnH2SMR9CdhRz2Z
TLSH	T139F4337E608D5FDFDCFAF225C4D7B3EC523032067A95247706E8E5A12AE51E08428AD7
Reporter	cocaman
Tags:	NetWire zip

cocaman

Malicious email (T1566.001)
From: ""ANTHONY MACOVICH" <info@cbbc.com>" (likely spoofed)
Received: "from vps-c9a55490.vps.ovh.net (vps-c9a55490.vps.ovh.net [149.202.44.208]) "
Date: "Wed, 21 Jul 2021 09:20:27 +0200"
Subject: "Purchase Ordr 112345"
Attachment: "order.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs2008.UNOFFICIAL

Sanesecurity.Malware.21082.ZipHeur.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/497b04efe79c9dce8bb75a37d72702eb9b703912994c5351a6792a8c217160c9

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/497b04efe79c9dce8bb75a37d72702eb9b703912994c5351a6792a8c217160c9/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-21 07:33:03 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

6 of 46 (13.04%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jf5qj37htso45c5xli35ojyc5onxaoistfgfgungpeviyilrmdeq._file

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/210721-gn8668tnaa/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

84.38.129.130:19891

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/497b04efe79c9dce8bb75a37d72702eb9b703912994c5351a6792a8c217160c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip 497b04efe79c9dce8bb75a37d72702eb9b703912994c5351a6792a8c217160c9

(this sample)

NetWire

exe 9add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 9add495b9373ca17ea4f158da84a200f3d5a52ce81bc535a575a5eac31bd76bb

Dropping

NetWire

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample