MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9a8374950d68997b782dca8ae2464aa81709c2f51bcc8fdb1abdcfb5b40c521. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 1 Comments

SHA256 hash: a9a8374950d68997b782dca8ae2464aa81709c2f51bcc8fdb1abdcfb5b40c521
SHA3-384 hash: 41d4385999c457334497bdaada07163437d73bbc48588e82481af3c83ac97db3180b654016dba0add0d141f35c8cc77c
SHA1 hash: 4129fe98ba4e3580b3b05b61a06e301ae9c4b958
MD5 hash: 598b0e23c0eb2baffc02fd05ce1b41e9
humanhash: uniform-angel-nevada-seven
File name:أمر الشراء 90037-2020.exe
Download: download sample
Signature NetWire
File size:780'800 bytes
First seen:2020-06-30 13:11:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f26e153c9b6068c0a4770547eb6d9e
ssdeep 12288:1CbpcLhilrm7G8oclWEAroCo3DQmTccdAAo3ZNytUAV:auLhi80Jro7JATZ0
TLSH 20F44BE1E350843EF0633579883B56BA5427BE1D6D28590A2AD1FE0E7EF73422427D87
Reporter @abuse_ch
Tags:exe NetWire RAT


Twitter
@abuse_ch
Malspam distributing NetWire:

HELO: mailout12.t-online.de
Sending IP: 194.25.134.22
From: UMAIR - SHAHTAJ TEXTILES (ARABIA) <fa.zajitschek@t-online.de>
Reply-To: UMAIR - SHAHTAJ TEXTILES (ARABIA) <fa.zajitschek@t-online.de>
Subject: Purchase Order 90037-2020 (SHAHTAJ TEXTILE)
Attachment: أمر الشراء 90037-2020.uue (contains "أمر الشراء 90037-2020.exe")

NetWire RAT C2:
43.226.229.43:2030

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 36
Origin country US US
CAPE Sandbox Detection:Netwire
Link: https://www.capesandbox.com/analysis/17197/
ClamAV SecuriteInfo.com.Win32.Herz.B.23927.UNOFFICIAL
PUA.Win.Adware.Slugin-6803969-0
PUA.Win.Adware.Slugin-6840354-0
SecuriteInfo.com.Variant.Zusy.307895.13627.19246.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/a9a8374950d68997b782dca8ae2464aa81709c2f51bcc8fdb1abdcfb5b40c521/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-30 13:13:04 UTC
AV detection:24 of 31 (77.42%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:netwire
Link: https://tria.ge/reports/200630-l47ymqagve/
Tags:rat persistence botnet stealer family:netwire
VirusTotal:Virustotal results 48.61%

Yara Signatures


Rule name:win_netwire_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe a9a8374950d68997b782dca8ae2464aa81709c2f51bcc8fdb1abdcfb5b40c521

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments