MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f9f4cc3a0403e5c2522726849e8a2033d72fc7f36b2317bc9fb86808c1693ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f9f4cc3a0403e5c2522726849e8a2033d72fc7f36b2317bc9fb86808c1693ec
SHA3-384 hash: aa814829c37b8d0345b9ea565b47ac079f4db8759f85a5ea458b0670efa5aa7de925156cfb63e301bfe291dafb340106
SHA1 hash: 6bb62259e48c90b8df62e2a088768383fda89171
MD5 hash: 5477844578f129713ab289e104d72eab
humanhash: butter-butter-alanine-speaker
File name:5477844578f129713ab289e104d72eab.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:3'405'312 bytes
First seen:2020-06-02 07:15:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c4ab8763277fe07e8a7a1f5ab6c99a11 (2 x NetWire)
ssdeep 49152:El5HQiwBGfHFFjzFlL+v+9mb2JKsMXIrvJKtORizuQJr5QuNecOE9z9IG:MtZN+J2JKatKtaQVzgcOE9
Threatray 303 similar samples on MalwareBazaar
TLSH 84F55D227980C535D9D221F4895D72B053ACECB08B2043DB65987BEEBEB57C25E346CB
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire RAT C2:
mayserver-bamzy.ddns.net:2202 (38.147.115.210)

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Jrvyiup
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 00:49:54 UTC
File Type:
PE (Exe)
Extracted files:
472
AV detection:
11 of 31 (35.48%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6puzq5aia7fyjjcojuet2fcam6xf7d7g2zdc66j7odibdawspwa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
4e52cdd00c05814d563b70e3271df67fb530ec90dca084a4f1b4d3f539e58061
NetWire
5f8cd119c7cc31eef0e66451fb05d5179c60850b2330ebcb76066dd289172a17
NetWire
6bcd9c589b51cbd1011942b2bdaeaab62748c7380a17336b35bf589c880553b8
NetWire
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
NetWire
b0a98ae8b1dadc3b181f6252abef59940ceeb5019cd4ae2f0feadb0a520063cd
NetWire
b16b3d99441f078e081e2ac0a8f0121ce4dab264bf434e353d1e00a57e54d3aa
NetWire
b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5
NetWire
c1ffaaa3fad1741534ca46e6eb19dbafebc46932eecccef600f69a615d8e57ea
NetWire
ece26faace5bcf7afeba359279d17aeb7f99f739fce454e964c88ebad9745bdb
NetWire
f53faac8d340d58a2e4916652372ccc1ec9be6a34da5332ee31072ed9c75c37a
NetWire
+ 293 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence stealer
Link:
https://tria.ge/reports/201109-f75m2v9w2n/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments