MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information 3 Yara 5 Comments

SHA256 hash: 9ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
SHA1 hash: 58e9c38396b81303c0ad5e5ddf7815c5f2387345
MD5 hash: 5f94b6301d49cbae4a3903baa511586a
File name:5f94b6301d49cbae4a3903baa511586a.exe
Download: download sample
Signature NetWire
File size:94'208 bytes
First seen:2020-05-22 13:41:40 UTC
Last seen:2020-05-22 15:01:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 87591f422cd35f220be67398a7898100
ssdeep 768:bhetNA5LbRwe4ICaiVS2Km6eUsr1elBbn/1OX8vILD81N1ihxCLEn+Q05Vk+e4Ts:VecdXCfVK7eUsr1elBbYX8un+Y54Ts
TLSH 99930975BC90EDB2DA320EF14E324AA42467AC711D410B03B5DE3F6D293679F982539B
Reporter @abuse_ch
Tags:exe GuLoader NetWire nVpn RAT


Twitter
@abuse_ch
GuLoader payload URL:
http://ventillos.ug/h1.bin

NetWire RAT C2:
cbvdfsavxcfdgbdsfg.ru:6976 (91.193.75.172)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2019-12-05T05:39:00Z
source: RIPE

Intelligence


Mail intelligence No data
# of uploads 2
# of downloads 24
Origin country US US
ClamAV PUA.Win.Packer.ProtectSharewar-2
PUA.Win.Packer.ProtectSharewar-3
VirusTotal:Virustotal results 21.13%

Yara Signatures


Rule name:Malicious_BAT_Strings
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 9ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576

(this sample)

  
Delivery method
Distributed via web download

Comments