MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a20134812ee99ea27f90c22c55eff2020df0bbad574809d9a03ff1cad3a4f43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a20134812ee99ea27f90c22c55eff2020df0bbad574809d9a03ff1cad3a4f43
SHA3-384 hash: 5540fde017ff92f572fad6391319e938cbabda46d9138e9c10af7a503f31e14e2fe589dab53052bf28409b63c06c8a6a
SHA1 hash: 6ca25e731f8249a7464849ca28f9ec2c156de409
MD5 hash: 6f450c216ed15d65642affc7860c8613
humanhash: jupiter-purple-west-triple
File name:998877887.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:792'970 bytes
First seen:2020-08-18 06:22:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 925501b726051625fb692aeb5906e244 (7 x ModiLoader, 2 x RemcosRAT, 1 x NetWire)
ssdeep 12288:kgAk0EFhcIK4FpC8FkjqwXRZtyjHqYt4ONWe744bmhiSEAlUgBAj:5MCc4FpC8Fkjb0jhtrXF0rE
Threatray 284 similar samples on MalwareBazaar
TLSH C2F49EE2E2808437C1332A7BDD1B9E9968267F513E28DC466BE41D4C4F3A7D1783A197
Reporter abuse_ch
Tags:exe NetWire nVpn RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: shamirlensthailand.com
Sending IP: 103.7.56.165
From: Phoenix sales <info@phoenix-india.in>
Reply-To: info@phoenix-india.in
Subject: Purchase order no. PO-20-21-134 dt.15-08-2020 - M/s. Phoenix
Attachment: PO 998877887 pdf.rar (contains "998877887.exe")

NetWire RAT C2:
okamoto.hopto.org:3871 (194.5.97.15)

Pointing to nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@kgb-vpn.org'

inetnum: 194.5.97.0 - 194.5.97.255
netname: NET-NINAZU
remarks: ------------------------------------------
remarks: * This network is used for a VPN service.
remarks: * No logs are stored in any shape or form.
remarks: ------------------------------------------
country: EU
admin-c: NVS100-RIPE
tech-c: NVS100-RIPE
org: ORG-NVS2-RIPE
mnt-by: NINAZU-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-02T13:13:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47514/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Setting a single autorun event
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a20134812ee99ea27f90c22c55eff2020df0bbad574809d9a03ff1cad3a4f43/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 06:24:08 UTC
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tiqbgsas52m6uj7zbqrmkxx7eaqn6c522v2ibhm2ap7rzlj2j5bq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
21cef6da04f726523131dbde12855b6d1d6d65cc9b0075d05b90b7636b56c8da
NetWire
2928d0d53b459f6b822fd781360a743b3548f31c31c012ba8a25b42235aff154
NetWire
5336d0fb346782de19c1a549e7ced6ca5c73fbcf897ac78d645219ec2033bdb5
NetWire
8c940846bd45f30de0358c90c8caef670b5e15bc9468452418d215c40ed62a20
NetWire
af9cd43a93f367a04bfc05abe54327de1bbd7857ca85e1665828d557d6459b62
NetWire
b0a98ae8b1dadc3b181f6252abef59940ceeb5019cd4ae2f0feadb0a520063cd
NetWire
df2688f6f88ea0e66b46d856e514adf25f8456cb4e45c849233799e17b1171e3
NetWire
ece26faace5bcf7afeba359279d17aeb7f99f739fce454e964c88ebad9745bdb
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
f53faac8d340d58a2e4916652372ccc1ec9be6a34da5332ee31072ed9c75c37a
NetWire
+ 274 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
persistence botnet stealer family:netwire
Link:
https://tria.ge/reports/200818-57hjvqrn16/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:targets loader
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar beed82b3a7875e1535c92ea46a8a06b57c994b1226228c0a4fc0a24f79ccd823

NetWire

Executable exe 9a20134812ee99ea27f90c22c55eff2020df0bbad574809d9a03ff1cad3a4f43

(this sample)

  
Dropped by
MD5 5eb5ddc39cd67a8f1dca0141f953474f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47514/
  
Dropped by
SHA256 beed82b3a7875e1535c92ea46a8a06b57c994b1226228c0a4fc0a24f79ccd823

Comments