MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfc8f0a7456a2b40908d901c2468d372bd859abda04e50ef4cf45ec84668cdcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfc8f0a7456a2b40908d901c2468d372bd859abda04e50ef4cf45ec84668cdcb
SHA3-384 hash: 522815f40a92f9a3fb81a7b3c8db5f7001e2cb327c1e97b282ff144677440897303dff5073c218e4e7ed20dbe7f79449
SHA1 hash: 3977c48bae879d9f28c741645f7eb1571caf3bcf
MD5 hash: 6998ca30e81c5ae0fda8e67ced0e2cbd
humanhash: alpha-london-foxtrot-apart
File name:Dachser Consulta de cliente saliente no. 000150849 - SKBMT03082020-0012-IMG0149.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:702'976 bytes
First seen:2020-08-05 13:47:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7daf82a66fe36783e723cf4e0e9334b8 (1 x NetWire)
ssdeep 12288:441Bzu+mpxMaBZJwrTFxs7bfi2w9fmtiVjWwTib/fERuWo:j1BoxjJwr/sPrCfmILTYExo
Threatray 307 similar samples on MalwareBazaar
TLSH 92E4B35D7E51F105FA5188BABE08D1E991493E32190D0483BFD17F6B7CB21AE9E27E02
Reporter abuse_ch
Tags:ESP exe geo NetWire nVpn RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: server.skydone.net
Sending IP: 185.50.199.121
From: Gaelle.Madelaine@dachser.com
Subject: Dachser: consulta de cliente saliente no. 000150849
Attachment: DACHSER CONSULTA DE CLIENTE SALIENTE NO. 000150849.R00 (contains "Dachser Consulta de cliente saliente no. 000150849 - SKBMT03082020-0012-IMG0149.exe")

NetWire RAT C2:
reddit-plugin.duckdns.org:3369 (79.134.225.43)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39655/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a TCP request to an infection source
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/411327
Signature
Sigma detected: NetWire
Uses dynamic DNS services
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfc8f0a7456a2b40908d901c2468d372bd859abda04e50ef4cf45ec84668cdcb/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 13:49:06 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=37epbj2fnivubeensaoci2gtok6ylgv5ubhfb32m6rpmqrtizxfq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
trickbot
Create hunting rule
Similar samples:
06835e2c284ded66ca44497caf918d1ce6f216e68af866e85ac6fb79332b75f7
NetWire
0f0322c44c393d5c125628af2cbc849cfd3f801ef9d4d20a9b740c04b1790967
NetWire
151f57078e89aa2f81fcb307bf88fe23e9f2437a4df1e37def5d0b78797e12f8
NetWire
4fc5c83ab8d45e9b46bc1ab2a20e653d868e57f357b7f5b4ba433706594bc2ca
NetWire
54e95ef949e6f817b50144b1f8ae37a609d5ab3bc07567699a642a339566d555
NetWire
aae45a77eeaca2d69630e035293e25a47f81d5b7612bace059d1678154485b85
NetWire
c952644e56294c56309d52fffcacdc6d1d054625a3e438727c0a7c3d944eb3e8
NetWire
d38d364257aae9a96f861fc772480694e039d01e3f7897f347341d78d74444ca
NetWire
e04977f7d1fbf8b3a69237bbd2170af6c3046a8ce29e2732cd7c72f079f0e0f8
NetWire
f5041ea07d530c171a670d71769deb2185c8620462b4e26c59a923784f3bd17a
NetWire
+ 297 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
botnet stealer family:netwire
Link:
https://tria.ge/reports/200805-1fbqk8c2k6/
Behaviour
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfc8f0a7456a2b40908d901c2468d372bd859abda04e50ef4cf45ec84668cdcb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_netwire_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

r00 b2069e643e0a48cb2f2e8e4eab1e3d9701c29155b13d783fe0fef061dd9d5145

NetWire

Executable exe dfc8f0a7456a2b40908d901c2468d372bd859abda04e50ef4cf45ec84668cdcb

(this sample)

  
Dropped by
MD5 b6d707ff8e7b46ac372a3b2f8c0197d0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39655/
  
Dropped by
SHA256 b2069e643e0a48cb2f2e8e4eab1e3d9701c29155b13d783fe0fef061dd9d5145

Comments