MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b721bab0bd5320bc77d0ffc8a747f342cfe8ab1654a69816b3efd0fe021ffe99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b721bab0bd5320bc77d0ffc8a747f342cfe8ab1654a69816b3efd0fe021ffe99
SHA3-384 hash: c466ce3e41a1c3fee55d71da392266f87c4b7b555b396a9253c3826218454456783f9f76dc1a409762544e830528fe66
SHA1 hash: c7c75da23b15b5375fa3bfa5e86c8b0d2bc104f4
MD5 hash: c801e9d6d1a2b5d322d2d0d2ed1a5738
humanhash: video-september-undress-arizona
File name:blk.exe_
Download: download sample
Signature NetWire
Create hunting rule
File size:734'720 bytes
First seen:2020-03-18 13:34:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 83dfbefc4372e7a3242335b895082314 (1 x Loki, 1 x NetWire)
ssdeep 12288:gKub4ioNq4DWYWOSaAtaanmQP/T8C5MEfjYURjpU9esGG:gBcin4DWYW1aRamk8C24jYURji9e0
Threatray 4'622 similar samples on MalwareBazaar
TLSH 83F4BF22E2E14837D1B7177C9D1B9768983ABDD02F24D94A2FE41DCC5FF828138562A7
Reporter oppimaniac
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Siggen2.45058.20620.14559.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-18 14:55:57 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2302aa79bb34eb683a91324995a9fb366bbbe55dffb53deee00b842e75ad19c0
NetWire
2548272de2d930f99b953bf466d49d5f850f4f9105ff420937edfa9ae70aff7d
NetWire
2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401
NetWire
322427854deccec94e7331e8d3faa9f2701289b8e2faac322889c5b04d6b8f5e
NetWire
3259355435f9e6a9b041b93c2faa1ad8a3867de478a436606702593e4e130dd0
NetWire
52b517b0e9be1efed3349ff5b7e7e4a392881437d7bc9ccd7b94bbc23e28a2f9
NetWire
5628310c6fe718d77dadbc5c8cb6238faa27942517b590c2a87c07aadca429d6
NetWire
99b8af6a588d533f5db198d141d5909149f6f34c8a9535c09353f1a8a813600f
NetWire
a91c5af7a94238bb1556b641b9f5bc7798133b3d699a9f3d5b88b8f8fc12f091
NetWire
f38d170b1da421aa60e778a64fec953d3058336f7cb06568ba7926495fe87f0c
NetWire
+ 4'612 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b721bab0bd5320bc77d0ffc8a747f342cfe8ab1654a69816b3efd0fe021ffe99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe b721bab0bd5320bc77d0ffc8a747f342cfe8ab1654a69816b3efd0fe021ffe99

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/326427/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
kernel32.dll::GetTempPathA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments