MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65f6a568a39f5285acc4fd58563be987f6a128165ae0b89cffc038a26f4e54b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65f6a568a39f5285acc4fd58563be987f6a128165ae0b89cffc038a26f4e54b6
SHA3-384 hash: e0969545a36e4fc5e798bef8d0f7d3169e266ded57c616449a50b376ccea77250de46e1afdaee81ee7c830a788f92747
SHA1 hash: 6ad12710b8db21ca68287ad13a0e3218faa02359
MD5 hash: ace51336104987ec0ee721c47bb2a828
humanhash: quebec-solar-winter-iowa
File name:Proof_Of_Payment.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'029'374 bytes
First seen:2020-06-15 13:43:37 UTC
Last seen:2020-06-16 09:30:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:bNA3R5drXdFdkvA8KbpZx7s3oFQYcEn7ERQ:G5NkvibLxIo6g
Threatray 516 similar samples on MalwareBazaar
TLSH B8251202BBC288F2D5321933593AA751787C7C300F75CF5FB7D85A6CC671291A626BA2
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: host19.axxesslocal.co.za
Sending IP: 197.242.145.93
From: Absa <ibreply@absa.co.za>
Reply-To: noreply@absa.co.za
Subject: Proof of Payment
Attachment: Proof_Of_Payment.cab (contains "Proof_Of_Payment.exe")

NetWire RAT C2:
154.16.93.182:3361

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10464/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 13:45:06 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mx3kk2fdt5jillge7vmfmo7jq73kckawllqlrhh7ya4ke32oks3a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47
NetWire
1c9ac73de149a9df1d58572db60bfa8824470f11c109ea55b91aada0d6c8a2a6
NetWire
23fd501c884e2f46d38af81b0d6e423ea0bff8c5eee615227806faf7b2833827
NetWire
5336d0fb346782de19c1a549e7ced6ca5c73fbcf897ac78d645219ec2033bdb5
NetWire
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72
NetWire
9de5e8e2d7733dfcf568e5b11a95d2468ef905e90169d7a4c93e1909a0372f04
NetWire
b156f7eea25bfef26649faaeec108d9956479396f3f684fc257e379f305ccbdc
NetWire
b5ee8f5810eb5518c8481f845d0bbbdb3e7e1709baeafc3ef7479affd314e91f
NetWire
cb54cd1dc1efb943d5308d6681f36ecaec957f0a70f9683f1da3e7e1188b9748
NetWire
ccd667e3a1a0577ed841968990cb37790e1e6f0fb4ceb1a2f947ef391d68dd4d
NetWire
+ 506 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:netwire botnet keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-xrx9qbvy8s/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NanoCore
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

cab f56b8a9a9fccefcc95ab88c6525db6e6d6e3e710277fdc3a90a48ea603c36852

NetWire

Executable exe 65f6a568a39f5285acc4fd58563be987f6a128165ae0b89cffc038a26f4e54b6

(this sample)

  
Dropped by
MD5 e1427772b245929be79734529779de75
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f56b8a9a9fccefcc95ab88c6525db6e6d6e3e710277fdc3a90a48ea603c36852
Cape
Cape
https://www.capesandbox.com/analysis/10464/

Comments