MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abfcf2549a73d08e119bcd0ed8bc9d829628eb28ebe2f334fbc77b2c61c88d4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abfcf2549a73d08e119bcd0ed8bc9d829628eb28ebe2f334fbc77b2c61c88d4e
SHA3-384 hash: 95151a0ee910c6d85946601792714607a7521912a166a73f590e5e2f352917f198858b7938238ab974c7135921c65053
SHA1 hash: 29d8cf578059764c987251b08ed381f836e6f722
MD5 hash: 92db159d94ee4790bf709ccc8f3076f5
humanhash: fish-delta-princess-alabama
File name:Payment notification.tar
Download: download sample
Signature NetWire
Create hunting rule
File size:542'471 bytes
First seen:2020-10-23 08:54:53 UTC
Last seen:Never
File type: tar
MIME type:application/vnd.ms-cab-compressed
ssdeep 12288:J31t803diZG5AioV2NG5fWPsNTJIfJj/vMNnEK3LQvHXgt:JU81j4hWPSIJjsNnEHHXe
TLSH 3CB42388C567B099C95BC97B793EFDE05EFEC18BB764E08217A539B1A0AD0C085C6F41
Reporter abuse_ch
Tags:geo NetWire nVpn RAT tar ZAF


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mail.kingsley.co.za
Sending IP: 23.111.177.27
From: FNB <Paymentemail@fnb.co.za>
Reply-To: Noreply@fnb.co.za
Subject: Payment Notification from AM SYSTEMS INTEGRATIONS_8GB5SKLG
Attachment: Payment notification.tar (contains "Proof of Payment.exe")

NetWire RAT C2:
185.140.53.183:3382

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-BE
country: BE
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-10-02T20:59:33Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.28064.14362.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abfcf2549a73d08e119bcd0ed8bc9d829628eb28ebe2f334fbc77b2c61c88d4e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 08:27:06 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vp6peve2opii4em3zuhnrpe5qklcr2zi5prpgnh3y55syyoirvha._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

tar abfcf2549a73d08e119bcd0ed8bc9d829628eb28ebe2f334fbc77b2c61c88d4e

(this sample)

NetWire

Executable exe 7146b96bfe2b8d7f1b3b45e45c675548fc3be8c377deaec45b0f970b327925a8

  
Dropping
MD5 aded39aef2cd540d9e530482f79dff9a
  
Dropping
NetWire
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7146b96bfe2b8d7f1b3b45e45c675548fc3be8c377deaec45b0f970b327925a8

Comments