MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72b5c1eee8f0fcfef6817c8858f1661de269386ce804f0caa87b47bc081d7d27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72b5c1eee8f0fcfef6817c8858f1661de269386ce804f0caa87b47bc081d7d27
SHA3-384 hash: e6ede62b5dee69c94a950d07c72edf9edafe06faa06841d96e83e819f9874033a6b9d1a59fb03e14375c10012cb40dd6
SHA1 hash: 2288b83cc9716f82e8f95962e65335ea9d4b5509
MD5 hash: da3cc2973d7e10732123bd8e248aebd9
humanhash: west-fruit-arkansas-island
File name:PO1153652300.7z
Download: download sample
Signature NetWire
Create hunting rule
File size:713'625 bytes
First seen:2022-05-29 19:24:13 UTC
Last seen:2022-05-29 19:35:40 UTC
File type: 7z
MIME type:application/x-rar
ssdeep 12288:O1oI5fj8IeA2Sk4AsAs4DJ9m3qbDW7Pg4SRX0YJMSyWQUlEPdk120Kc95IuhL:O1oI5h2SkvprmabDWjkREYJMSyWGdQ99
TLSH T11FE4233157FD078484FF618D10A641CEA921DB13726EEBEC89930ED16DAB1F6A051B73
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:7z NetWire payment


Avatar
cocaman
Malicious email (T1566.001)
From: ""John Ribeiro" <contact@panzy.xyz>" (likely spoofed)
Received: "from mta0.panzy.xyz (vmi866307.contaboserver.net [75.119.143.97]) "
Date: "27 May 2022 07:52:40 -0700"
Subject: "Payment receipt attached for your confirmation"
Attachment: "PO1153652300.7z"

Intelligence

File Origin
# of uploads :
3
# of downloads :
497
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed wacatac
Link:
https://www.filescan.io/uploads/6293c891370bb1455ccfc8a7/reports/7bca0d55-bf2f-47fa-b6e1-2ee2a0032a98/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72b5c1eee8f0fcfef6817c8858f1661de269386ce804f0caa87b47bc081d7d27/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-05-27 11:31:10 UTC
File Type:
Binary (Archive)
Extracted files:
13
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ok24d3xi6d6p55ubpsefr4lgdxrgsodm5acpbsvipnd3yca5putq._file
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220529-x4ylasghh8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
podzeye.duckdns.org:6688
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72b5c1eee8f0fcfef6817c8858f1661de269386ce804f0caa87b47bc081d7d27

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

7z 72b5c1eee8f0fcfef6817c8858f1661de269386ce804f0caa87b47bc081d7d27

(this sample)

NetWire

Executable exe a5140fceb2803eef7a1c8081c3428310baaa0dea404ef86e5d2d4a96b80fe538

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a5140fceb2803eef7a1c8081c3428310baaa0dea404ef86e5d2d4a96b80fe538
  
Dropping
NetWire

Comments