MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 566dfcc4ee6de9b9963de7d92276a5db51e6e40e4040ceb5fc25872673fec234. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 566dfcc4ee6de9b9963de7d92276a5db51e6e40e4040ceb5fc25872673fec234
SHA3-384 hash: 2bf8860d1568ddff22d85a9db8c1e27292d70c250c0561e564a7dec79e532a0fd40f9ee490581f50f66b2d7712937a31
SHA1 hash: 5ae4244648bea023f608d9c0164d8a7f03d907e1
MD5 hash: aa8d0b33a1ec3702ba2e4d20923e405f
humanhash: spaghetti-salami-chicken-alaska
File name:aa8d0b33a1ec3702ba2e4d20923e405f.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'247'232 bytes
First seen:2020-06-25 09:33:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 274187873f522793ab32e9ddbc2b6276 (3 x FormBook, 2 x RemcosRAT, 1 x CyberGate)
ssdeep 24576:vyFa3MXDV0cc11BWwQb1ppGIPhECsoxvgiovPoPbg9ao4Tn03:vyFa3MOxybb1ppGIPhECsoxvgiovPoPu
Threatray 293 similar samples on MalwareBazaar
TLSH 8345E49F79721F3DF122C139DA193D69C8517913AE170E3D86E12D081EADE4839EB1CA
Reporter abuse_ch
Tags:exe NetWire nVpn RAT


Avatar
abuse_ch
NetWire RAT C2:
thompson.ug (194.5.97.49)

Pointing to nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.97.0 - 194.5.97.255
netname: Privacy_Online
remarks: ------------------------------------------------------------------------
remarks: This prefix is used by a non-logging VPN service provider.
remarks: We don't log any user activities.
remarks: We don't host anything else on our servers than VPN software (OpenVPN,
remarks: IKEv1 & 2, WireGuard ...).
remarks: Our customers can open up to 8 Ports (TCP & UDP).
remarks: We support the Tor Project: https://www.torproject.org
remarks: Before sending us potential complaints, please read:
remarks: https://www.torservers.net/abuse.html
remarks:
remarks: We are under constant pressure by Spamhaus.
remarks: Spamhaus issues tons of fake SBL listings in order to destroy our service.
remarks: They use fake identities, violate EU laws and hide outside the EU in
remarks: Andorra to avoid legal consequences.
remarks: Please don't trust this organization.
remarks: If you have any questions related to our service, please contact us
remarks: directly via e-mail: support@inter-cloud.tech
remarks:
remarks: Thank you.
remarks: ------------------------------------------------------------------------
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
country: RU
status: SUB-ALLOCATED PA
mnt-by: inter-cloud-mnt
created: 2018-07-23T09:31:45Z
last-modified: 2020-03-10T21:27:32Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14123/
Detection(s):
SecuriteInfo.com.BScope.Backdoor.Remcos.13207.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Launching the default Windows debugger (dwwin.exe)
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/566dfcc4ee6de9b9963de7d92276a5db51e6e40e4040ceb5fc25872673fec234/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzw7zrhonxu3tfr547mse5vf3ni6nzaoibam5np4ewdsm476yi2a._file
Verdict:
malicious
Similar samples:
2e1b3dec1609efaee181ea5c2865ace9ac7be4b5ee8420a71ef9fff500440377
NetWire
5336d0fb346782de19c1a549e7ced6ca5c73fbcf897ac78d645219ec2033bdb5
NetWire
a738551436373cba8cfb85daf742426c8374a6c2384035c7c64a71d039308df0
NetWire
bd1589272562cfa237eb1aac2fe9efa600bf1abad49706119cf4e3bcee7dfe26
NetWire
bf9e953c433f1108878018fba685844d8cd89171a40b9387386e4dc89c1ca981
NetWire
c2109f44d6d608cb821ea28489e75dbf7c7c18731918f8171bab7445db6e8599
NetWire
c5ccddfa0f7ee807513279b0195460cd48f3b36f2154c93ff3945fe30c647dde
NetWire
d5b1dfa52d7b7e4a025f3c2c9084005e6e41eb48b81711ae58ab1b641ef99e64
NetWire
dbdfc4a9100fa08d0bb6ca2879febbc5e0db4eca85168dfefb526b584976efaf
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
+ 283 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire persistence
Link:
https://tria.ge/reports/200625-khvpw9kr9s/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of SetThreadContext
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14123/

Comments