MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98af60250a9e0cedaa66f04fe39c412bd0007855255547df68f5da46686c9ced. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98af60250a9e0cedaa66f04fe39c412bd0007855255547df68f5da46686c9ced
SHA3-384 hash: 2d88a57eea39ad5acbe67d31bbe84ba98fc1b586cdc88c9a52102ea2b89162f0dd6ef5204e9567064aa560ddc546ee62
SHA1 hash: 56c820863598e63e3f5dea882dd16311b1489bed
MD5 hash: cf170a15551e18239a0d412f16bcba2d
humanhash: april-iowa-beryllium-lactose
File name:INQ Request Order COVID-19 208548U4000209845504554.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:102'400 bytes
First seen:2020-05-20 07:58:46 UTC
Last seen:2020-05-20 09:02:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash defd1263c7714791b74f193f9a85dbaa (1 x NetWire)
ssdeep 768:4CFQt8ZAD3w8g7sLSOlDHGa0yo0Pzko3wASeqbhdG7zLDbrlOSfbBRvwxlAKr8Gf:9KeArmR2DwASe4dirT6AKNk4rR
Threatray 4'377 similar samples on MalwareBazaar
TLSH 5BA31821F990ED51DA1C84FD9EA0A6AC028FAC701B11CA8F71C57B5D5DF3B85E92132B
Reporter abuse_ch
Tags:exe NetWire


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: park-mx.above.com
Sending IP: 103.224.212.34
From: Levent SARICA <contacts@g1economia.com>
Subject: Attn: uhasebe Inquiry and Request New Order YYNBHHGBAOI/ TT#
Attachment: INQ Request Order COVID-19 208548U4000209845504554.rar (contains "INQ Request Order COVID-19 208548U4000209845504554.exe")

Payload URLs:
http://naturepack.cc/files/RTXN.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.Injector.EMAM.2692.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 09:44:50 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcxwajiktygo3ktg6bh6hhcbfpiaa6cvevkupx3i6xnem2dmttwq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
0047270c26f603d132bc8e6a67894311356fe2d3c977aa287a09a8261f6b5690
NetWire
0b1dbd3162f501371ca4d99f39e0ad1631ab1d9698bf19bdd45163319fc0310b
NetWire
23958a583d62bf343e2641dd871d6d788c99649a722fe1908fea9e72e78d17b7
NetWire
4052cabc6efdd8910b0c92b973d1a37172a92ee408fc53209d746cfb65e08dcc
NetWire
77a42c231f074c0437c6e7ee53604e857f9496fcc17aeddfe987329cc748d353
NetWire
a0086dfee2dba4d6a0adab05e848cfbb9755f68be7adef3ff35ff9740e5a1c2e
NetWire
b258aed05413eb191250d2907db5b64c4f36fdb0508fb3c9c6390c4144fd9497
NetWire
baac016255a128a1209211bba2a47979f3392f12c41d5805469f899eba6de47b
NetWire
cde5b9157162c55139f508884d7be6be903acc9d85842a667c1b2ef04a1ecd49
NetWire
d2e60c3bec22bb8dc8e990920648725abd8ffdc1925dee26ed8c8187dd7504c1
NetWire
+ 4'367 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-mef9alpfp6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar b27135b13576265f193f7fe29b886d7c093f17424fe3de2150a1bfd83386a5dd

NetWire

Executable exe 98af60250a9e0cedaa66f04fe39c412bd0007855255547df68f5da46686c9ced

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/365244/
  
Dropped by
MD5 ba7feecd03531cd8ada081f6d7207f69
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b27135b13576265f193f7fe29b886d7c093f17424fe3de2150a1bfd83386a5dd

Comments