MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f90252cb372d120223981bf24a7eb42ba6a8eadf27d7bb958c2f22f18a52367. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f90252cb372d120223981bf24a7eb42ba6a8eadf27d7bb958c2f22f18a52367
SHA3-384 hash: 39ab8036748583e8e8d74f1fa457ffbd7106d1695db0083cdb3dcf1e3a8c63518437a5bc8351db5193db2b07426aea1b
SHA1 hash: 956c9baa08ae5a0890f79909bee2a3dddb68bcef
MD5 hash: 1f1dcee042b7e9bef0bc4555fdcc100c
humanhash: winner-avocado-sad-sad
File name:273be79c5a745b4a18ef20e1e3b4642f.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:151'552 bytes
First seen:2020-03-26 15:06:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4563c74acbd357d386b177e402b96ce4 (60 x NetWire)
ssdeep 3072:2XFgYEAsB4+Cb3iiDUCcmE90rvPkGK+dr6YMiFfS:2XGYEVat3iiDUCcf+rEG5YziFf
Threatray 251 similar samples on MalwareBazaar
TLSH 8FE3F758F987A0F6FE4B1C31958BF36F4B757E00C234CE91EF580E86EA23D29111AA55
Reporter abuse_ch
Tags:exe GuLoader NetWire


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1W6xoiT5gVBQIxg-dlKskCPUZfPShg24j

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b6c3b55b9576aeb6f8d89c382bb534e65e13f0dc047de5796f8d1c83678d45d3

NetWire

Executable exe 5f90252cb372d120223981bf24a7eb42ba6a8eadf27d7bb958c2f22f18a52367

(this sample)

  
Dropped by
MD5 273be79c5a745b4a18ef20e1e3b4642f
  
Dropped by
MD5 5ee773ce006fc6b09430b79280252ab7
  
Dropped by
GuLoader
  
Dropped by
SHA256 b6c3b55b9576aeb6f8d89c382bb534e65e13f0dc047de5796f8d1c83678d45d3
  
Dropped by
SHA256 b8697b2881af484e0ce9d111ece4a202831322e13848b83aba7626e4719a75f1
  
URLhaus
https://urlhaus.abuse.ch/url/326781/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
DP_APIUses DP APICRYPT32.DLL::CryptUnprotectData
SHELL_APIManipulates System ShellSHELL32.DLL::ShellExecuteA
SHELL32.DLL::ShellExecuteW
SHELL32.DLL::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.DLL::GetUserNameW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.DLL::CryptAcquireContextA
ADVAPI32.DLL::CryptCreateHash
ADVAPI32.DLL::CryptGetHashParam
ADVAPI32.DLL::CryptHashData
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegCreateKeyExA
ADVAPI32.DLL::RegDeleteKeyA
ADVAPI32.DLL::RegOpenKeyExA
ADVAPI32.DLL::RegQueryValueExA
ADVAPI32.DLL::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::closesocket
WS2_32.dll::connect
WS2_32.dll::gethostbyname
WS2_32.dll::htons
WS2_32.dll::inet_ntoa
WS2_32.dll::ioctlsocket
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments