MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 beed82b3a7875e1535c92ea46a8a06b57c994b1226228c0a4fc0a24f79ccd823. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	beed82b3a7875e1535c92ea46a8a06b57c994b1226228c0a4fc0a24f79ccd823
SHA3-384 hash:	a18988d08029c0f4547c785239acf4af2eeb81938e41ef029c6048d50dbba57bd44ed63077695a2defad48505df6dcc5
SHA1 hash:	7127baaf865260b0301ab431cd5002201f4f8bbf
MD5 hash:	5eb5ddc39cd67a8f1dca0141f953474f
humanhash:	arkansas-charlie-emma-connecticut
File name:	PO 998877887 pdf.rar
Download:	download sample
Signature	NetWire Create hunting rule
File size:	335'499 bytes
First seen:	2020-08-18 06:22:35 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	6144:VGrBAM5Uln4eutEg1uOrDB90bHtEEwRnZa9O6K9/0uvEs06PySx+M1lPv4:VGDUln4eutjuc9WbS7ZYOJ9RvEDSV1v4
TLSH	936423081D46E136E6EDD393336A3BA549EE8CE80ED04987B5927FE3C0BD45E54C9392
Reporter	abuse_ch
Tags:	NetWire nVpn rar RAT

abuse_ch

Malspam distributing NetWire:

HELO: shamirlensthailand.com
Sending IP: 103.7.56.165
From: Phoenix sales <info@phoenix-india.in>
Reply-To: info@phoenix-india.in
Subject: Purchase order no. PO-20-21-134 dt.15-08-2020 - M/s. Phoenix
Attachment: PO 998877887 pdf.rar (contains "998877887.exe")

NetWire RAT C2:
okamoto.hopto.org:3871 (194.5.97.15)

Pointing to nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@kgb-vpn.org'

inetnum: 194.5.97.0 - 194.5.97.255
netname: NET-NINAZU
remarks: ------------------------------------------
remarks: * This network is used for a VPN service.
remarks: * No logs are stored in any shape or form.
remarks: ------------------------------------------
country: EU
admin-c: NVS100-RIPE
tech-c: NVS100-RIPE
org: ORG-NVS2-RIPE
mnt-by: NINAZU-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-02T13:13:48Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/beed82b3a7875e1535c92ea46a8a06b57c994b1226228c0a4fc0a24f79ccd823/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2020-08-18 06:24:07 UTC

AV detection:

13 of 48 (27.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x3wyfm5hq5pbknojf2sgvcqgwv6jssyseyriycspycre66om3arq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar beed82b3a7875e1535c92ea46a8a06b57c994b1226228c0a4fc0a24f79ccd823

(this sample)

NetWire

exe 9a20134812ee99ea27f90c22c55eff2020df0bbad574809d9a03ff1cad3a4f43

Dropping

MD5 6f450c216ed15d65642affc7860c8613

Dropping

NetWire

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 9a20134812ee99ea27f90c22c55eff2020df0bbad574809d9a03ff1cad3a4f43

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample