MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 debf78ac913e3b76debc7c4745d1e9ff858d6f3392ad02db78eb18408ac4beaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information Yara 6 Comments

SHA256 hash: debf78ac913e3b76debc7c4745d1e9ff858d6f3392ad02db78eb18408ac4beaf
SHA3-384 hash: 0fee9f3288921284385e44da23284f5fd22de77cd6cce667ddda26e8c9f40ef0e2d90ad60e2a0569dd8cffac60a4e35b
SHA1 hash: 95a6a416f682a9d254e76ec38ade01ce241b3366
MD5 hash: 02bebda14734b392c40e86a08717e140
humanhash: grey-tennessee-potato-mountain
File name:Potwierdzenie transakcji.xls
Download: download sample
Signature NetWire
File size:877'056 bytes
First seen:2020-06-30 10:53:39 UTC
Last seen:2020-06-30 11:54:29 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 12288:a+mNc3H6ZMgk9cOMwz4eQwinb0yDNy0vWzu/sYPEL0Vnr3QhwyCnndv:a+scw3k9vz4s6U0vWksMEy+Kh
TLSH 2C155B02C749093BF1661A35B14A95579F492E773942CEB109EBB21F271FFB04EBAC06
Reporter @JAMESWT_MHT
Tags:NetWire

Intelligence


Mail intelligence
Trap location Impact
Global High
# of uploads 2
# of downloads 27
Origin country IT IT
ClamAV TwinWave.EvilDoc.DOCXSTRGOOD.AOEX4.BITSNEEDEDFOR.POWERSHELL.EXE.200327.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/debf78ac913e3b76debc7c4745d1e9ff858d6f3392ad02db78eb18408ac4beaf/
ReversingLabs :Status:Malicious
Threat name:Document-Word.Trojan.Netwire
First seen:2020-06-30 10:55:03 UTC
AV detection:10 of 31 (32.26%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-edfnfkd5va/
Tags:n/a
VirusTotal:Virustotal results 18.33%

Yara Signatures


Rule name:Malicious_BAT_Strings
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:Suspicious_BAT_Strings
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments