MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 3


Intelligence 3 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
SHA3-384 hash: 5a1e194c9b0e99d16166bd3a4f703b4e6c24be3855ca9c22d51793cf733fbb9ffc359b75329e2f4aa69d6325a8e81c93
SHA1 hash: 58e9c38396b81303c0ad5e5ddf7815c5f2387345
MD5 hash: 5f94b6301d49cbae4a3903baa511586a
humanhash: william-idaho-bakerloo-helium
File name:5f94b6301d49cbae4a3903baa511586a.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:94'208 bytes
First seen:2020-05-22 13:41:40 UTC
Last seen:2020-05-22 15:01:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 87591f422cd35f220be67398a7898100 (1 x NetWire)
ssdeep 768:bhetNA5LbRwe4ICaiVS2Km6eUsr1elBbn/1OX8vILD81N1ihxCLEn+Q05Vk+e4Ts:VecdXCfVK7eUsr1elBbYX8un+Y54Ts
Threatray 209 similar samples on MalwareBazaar
TLSH 99930975BC90EDB2DA320EF14E324AA42467AC711D410B03B5DE3F6D293679F982539B
Reporter abuse_ch
Tags:exe GuLoader NetWire nVpn RAT


Avatar
abuse_ch
GuLoader payload URL:
http://ventillos.ug/h1.bin

NetWire RAT C2:
cbvdfsavxcfdgbdsfg.ru:6976 (91.193.75.172)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2019-12-05T05:39:00Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 14:38:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2151298323c73bf6173dc2887e1f50d78d493d3029f3da3b525e48f3aeea5e47
NetWire
32b8ffac3250444904e6af3fca1f6408e684f11ad59e6c46887cf44f5de19e6b
NetWire
4e14841c96a09f5850d1cf5fcb3526714c22d7174e3f75c8a309d8db36ecef93
NetWire
59825608710179356a6809648f78199bce58922841920895d441db2ab64e2da7
NetWire
69386692648e92eb4a80be0962bc1dff4a1c6773ed7ae2f30a2947ad96449f03
NetWire
91adaeeb7ac7733741a68cc0283a10f64403f64d1378558bae2342bec847f8e5
NetWire
a020b1d430a80a59b4578da28132bb4354c44d62095078d8aaa1471361bb4248
NetWire
bd50fceeb89d220f6710030d3aacbc2427c5796d9b7f3dee8a362f4e7d4113ef
NetWire
f3691f40ec472e4bc10cd7855fce1e52a6e177513c1cff51054463cff7106601
NetWire
f8a6d117bfaaeaf97082bdab997196ebc517e34c45eda9b687c19923feeefdd6
NetWire
+ 199 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-6efdzlx4qx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent state file
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 9ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366608/
  
URLhaus
https://urlhaus.abuse.ch/url/364846/
  
Delivery method
Distributed via web download

Comments