MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c52c1fb415117cce538aa98327a5c9e5adebe60dd26c49dee07d9efcc07a5948. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 5 Comments

SHA256 hash: c52c1fb415117cce538aa98327a5c9e5adebe60dd26c49dee07d9efcc07a5948
SHA3-384 hash: 86e6d234f97c5171376709b80c8146622b8ebfae2fdc4ac348e9397e243c0c53ed538ed156b6864324f783fc0f993ee3
SHA1 hash: 7e8c4c56a6055d01e4d96ddedd5aec9241adcaf1
MD5 hash: 55f366df0150172ee321229116917ef9
humanhash: white-high-mars-glucose
File name:Payment notification-pdf.exe
Download: download sample
Signature NetWire
File size:1'082'825 bytes
First seen:2020-06-30 08:43:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3
ssdeep 24576:6NA3R5drXdtihCpWyKuS+1pumHRQH1pu5SMny1R:z5bDSNNVCSKyv
TLSH 48351212F7E684B2E13719364A29D721B67CBD201F24DA5FB3D05E6DDA31180A235BB3
Reporter @abuse_ch
Tags:exe NetWire RAT


Twitter
@abuse_ch
Malspam distributing NetWire:

HELO: magna.webdema.com
Sending IP: 173.212.193.63
From: Notification@nedbank.co.za
Reply-To: No-repIy@nedbank.co.za
Subject: Payment Notification
Attachment: Payment notification-pdf.uue (contains "Payment notification-pdf.exe")

NetWire RAT C2:
154.16.93.182:3373

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 32
Origin country FR FR
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/16995/
ClamAV SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
CERT.PL MWDB Detection:netwire
Link: https://mwdb.cert.pl/sample/c52c1fb415117cce538aa98327a5c9e5adebe60dd26c49dee07d9efcc07a5948/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Wacatac
First seen:2020-06-30 08:45:05 UTC
AV detection:20 of 31 (64.52%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:nanocore
Link: https://tria.ge/reports/200630-xjh6fz6l92/
Tags:rat botnet stealer family:netwire persistence keylogger trojan spyware family:nanocore
VirusTotal:Virustotal results 40.28%

Yara Signatures


Rule name:Malicious_BAT_Strings
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe c52c1fb415117cce538aa98327a5c9e5adebe60dd26c49dee07d9efcc07a5948

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments