MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de9a014f04de8539634f9e335e7ae981834739b0c5ce71c09b3c4b021b298917. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de9a014f04de8539634f9e335e7ae981834739b0c5ce71c09b3c4b021b298917
SHA3-384 hash: 44596f672f61e9cdfd6251a3e49d32cfdbff6dc79bf8132175e324bdc9ac504b0ef3ba7fdbbc2c25f068ef5b9c07472e
SHA1 hash: f4a0dd71efaa45f71834c6993e6bbe8cd08a9641
MD5 hash: 5589c458fa7898bfb7e85a5609c4899f
humanhash: juliet-sodium-winter-fanta
File name:Payment notification.img
Download: download sample
Signature NetWire
Create hunting rule
File size:1'376'256 bytes
First seen:2021-01-11 09:19:53 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 12288:B7nbXglNN+vvlmktiDOyykOfoQbbm6HmYj53kIPj/xCX9YctZNDib7O1WI22:B70ivhEOrkOQ8pGYjmsZCX9V87O1/1
TLSH 7D55F14036B56F12FE3847F4452E490503FB786BB166E75C6DCEE1EA2266F064A12F23
Reporter abuse_ch
Tags:img NetWire nVpn RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: smtp.hugedns.co.za
Sending IP: 102.67.140.104
From: Payment@capitecbank.co.za
Reply-To: No-reply@capitecbank.co.za
Subject: Payment Notification
Attachment: Payment notification.img (contains "Payment notification.exe")

NetWire RAT C2:
185.140.53.146:3393

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-11-06T23:02:44Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de9a014f04de8539634f9e335e7ae981834739b0c5ce71c09b3c4b021b298917/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-11 09:20:22 UTC
AV detection:
9 of 44 (20.45%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=32nactye32ctsy2ptyzv46xjqgbuoonqyxhhdqe3hrfqegzjrelq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de9a014f04de8539634f9e335e7ae981834739b0c5ce71c09b3c4b021b298917

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

img de9a014f04de8539634f9e335e7ae981834739b0c5ce71c09b3c4b021b298917

(this sample)

NetWire

Executable exe 26227234f11b155d504617e9580d22efe5a9f95d52ce767bade994da339d0d90

  
Dropping
MD5 1ddc40fd6ae75ccf9fffe1f0a01a9d63
  
Dropping
NetWire
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 26227234f11b155d504617e9580d22efe5a9f95d52ce767bade994da339d0d90

Comments