MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9ecbca724efff37c8218d41e3263ce8a2c1e34647b216106e48ea3713daeb4ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
NetWire
Vendor detections: 10
| SHA256 hash: | 9ecbca724efff37c8218d41e3263ce8a2c1e34647b216106e48ea3713daeb4ee |
|---|---|
| SHA3-384 hash: | 80f3bdf73b47a29f68ffb954782de416ab8ae292e19694515bdc34ef9cfce7d1bf12cc23c0ce97652c79c07046c30355 |
| SHA1 hash: | c0186f3b3a7eaf08876c578e2dd79b2003a4c003 |
| MD5 hash: | 4f1ad1323336fdc6e7ced82feb4a899a |
| humanhash: | stairway-finch-hotel-kilo |
| File name: | 4f1ad1323336fdc6e7ced82feb4a899a.exe |
| Download: | download sample |
| Signature | NetWire |
| File size: | 285'656 bytes |
| First seen: | 2022-04-30 05:10:36 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 56a78d55f3f7af51443e58e0ce2fb5f6 (736 x GuLoader, 453 x Formbook, 295 x Loki) |
| ssdeep | 6144:1NeZsW4yWRl+fU9pumj/+g7Me26gCGL0B8v2qEBtWugTsL:1NiqS8Kmjp7DUluBtWugTs |
| Threatray | 11'069 similar samples on MalwareBazaar |
| TLSH | T1EE540120A7C0D466D9671E34C135AAF62F23AE1EE452560F1BA07F5B3D32192473EF92 |
| TrID | 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | 70e0c2d2c286c840 (1 x NetWire) |
| Reporter |  abuse_ch |
| Tags: | exe NetWire RAT signed |
Code Signing Certificate
| Organisation: | Skance |
|---|---|
| Issuer: | Skance |
| Algorithm: | sha256WithRSAEncryption |
| Valid from: | 2022-03-13T21:12:51Z |
| Valid to: | 2023-03-13T21:12:51Z |
| Serial number: | 00 |
| Intelligence: | 330 malware samples on MalwareBazaar are signed with this code signing certificate |
| Cert Graveyard Blocklist: | This certificate is on the Cert Graveyard blocklist |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | f741432144bb936ce911991d5a34dbb5be4657f75f371239a5ed83a011c4924f |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 193.142.146.203:1010 | https://threatfox.abuse.ch/ioc/542503/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
498
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f1ad1323336fdc6e7ced82feb4a899a.exe
Verdict:
Malicious activity
Analysis date:
2022-04-30 05:12:19 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Detection(s):
Result
Verdict:
Clean
Maliciousness:
Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Malware family:
GuLoader
Verdict:
Malicious
Result
Threat name:
GuLoader
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Detection:
netwire
Threat name:
Win32.Downloader.GuLoader
Status:
Malicious
First seen:
2022-04-28 01:38:00 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
11 of 42 (26.19%)
Threat level:
3/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
cloudeye
Similar samples:
+ 11'059 additional samples on MalwareBazaar
Result
Malware family:
netwire
Score:
10/10
Tags:
family:guloader family:netwire botnet downloader persistence stealer
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Netwire
Unpacked files
SH256 hash:
d80a49c4af6a5387d3cc6c720446270af0f67c4f4f7cf83dded68e443b4fa9e8
MD5 hash:
749593758bf7b6d8b6ae9d5d5dea9738
SHA1 hash:
6ee4246ac2753dd5bcaddfe77613487881cf7026
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SH256 hash:
eae9c9db228c5477b694c47491ca6271fc7864beead615202d1f3d98acb22718
MD5 hash:
fad6d8c923ac5b4f7f39740aa95bd020
SHA1 hash:
a841722205be959b2fd66044a5da149b6663a129
SH256 hash:
cd90153237ebdc98e8f3388a82c9ff150611b8767d44f23ac1685ac467b4bfb4
MD5 hash:
663e7f40a725f7c66d7603943c40b7b3
SHA1 hash:
cd3a8fe6516ad2f4ccf0b60c324a41af5bd73481
SH256 hash:
9ecbca724efff37c8218d41e3263ce8a2c1e34647b216106e48ea3713daeb4ee
MD5 hash:
4f1ad1323336fdc6e7ced82feb4a899a
SHA1 hash:
c0186f3b3a7eaf08876c578e2dd79b2003a4c003
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.