MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 841b9682f1bcb94cc4c510c2564791004f3d1c26ae764c42c145fe16ab093901. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
NetWire
Vendor detections: 4
| SHA256 hash: | 841b9682f1bcb94cc4c510c2564791004f3d1c26ae764c42c145fe16ab093901 |
|---|---|
| SHA3-384 hash: | ccfe9a95e0d6ccc9f7baba76294c8c3015ef04d598fab4b135ba1d2b9af8896d8f642f300a42b1f58d045136afe27881 |
| SHA1 hash: | 7de03b9576854d47e4d3624662a2888ef5466d25 |
| MD5 hash: | d48dfaadabf9b1c77ea8dbd2ac760902 |
| humanhash: | diet-georgia-north-winner |
| File name: | RFQ GENERAL ITEMS.exe |
| Download: | download sample |
| Signature | NetWire |
| File size: | 786'432 bytes |
| First seen: | 2020-04-16 09:51:27 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | a380e94945ac178a48b58027102590a5 (1 x Formbook, 1 x NetWire) |
| ssdeep | 12288:r7Ru4WLAayLxxq6NY4dbVnrTA3mAAHiSQYT+28ahXBWbDQ:r7Ru4W8ayLxxqYbVnrTA3mAACfYloQ |
| Threatray | 5'084 similar samples on MalwareBazaar |
| TLSH | 2FF46B02627C9DE6F1DD3DB10A51AB2408A4ACB46E3F8593EB977DCAD437983C6312D1 |
| Reporter |  Racco42 |
| Tags: | exe FormBook NetWire |
Intelligence
File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Gathering data
Threat name:
Win32.Trojan.Grp
Status:
Malicious
First seen:
2020-04-08 04:30:41 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
26 of 31 (83.87%)
Threat level:
2/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
netwirerc
Similar samples:
+ 5'074 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoFreeUnusedLibraries |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CloseHandle |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetVolumeInformationA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::SetStdHandle |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateFileA KERNEL32.dll::GetFileAttributesA KERNEL32.dll::FindFirstFileA |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegSetValueExA |
| WIN_USER_API | Performs GUI Actions | USER32.dll::AppendMenuA USER32.dll::PeekMessageA USER32.dll::CreateWindowExA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.