MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
SHA3-384 hash: cfdbe6f62161465080b9753f6b88862d527a5552b28e48d67ceadfd09ee43d26930f9a29665eb3464396bf500f46d83f
SHA1 hash: ed4e974775f050e65233116fdbb28921618fceb7
MD5 hash: 748e4a49b7e306d7eb45aaa7b10faf5d
humanhash: single-magazine-october-six
File name:Solictud_de_cotizacion (3699663-2020).exe
Download: download sample
Signature NetWire
Create hunting rule
File size:566'272 bytes
First seen:2020-07-31 12:17:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c458ff2d515beb8f44158cd3636a7400 (19 x AgentTesla, 6 x NetWire, 3 x HawkEye)
ssdeep 12288:+zNIO6A3MZJOdZbsEpxHR/FgdXIlOQZbIg5AprZp/Ex4wB1dpVZVY:+hL908Zbpx/FEXIrkg5oNp/Czb
Threatray 318 similar samples on MalwareBazaar
TLSH 81C423E1C316D00EF4B6A974C63022D23509549D2E6D7C686EC3EB6B7D3FBD154A284B
Reporter abuse_ch
Tags:exe NetWire RAT t-online


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mailout10.t-online.de
Sending IP: 194.25.134.21
From: Jimena Espinoza | NACOLPERU <Zahnarztpraxis-Kugler@t-online.de>
Reply-To: jsntfxqvip.163@gmail.com <jsntfxqvip.163@gmail.com>
Subject: Nuevo orden (NACOL S.A.) Julio / Agosto
Attachment: Solictud_de_cotizacion 3699663-2020.uue (contains "Solictud_de_cotizacion (3699663-2020).exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/406062
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sigma detected: NetWire
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255376 Sample: Solictud_de_cotizacion (369... Startdate: 31/07/2020 Architecture: WINDOWS Score: 88 63 g.msn.com 2->63 81 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->81 83 Yara detected NetWire RAT 2->83 85 Sigma detected: NetWire 2->85 87 5 other signatures 2->87 9 Solictud_de_cotizacion (3699663-2020).exe 3 2 2->9         started        13 Host.exe 2->13         started        15 Solictud_de_cotizacion (3699663-2020).exe 2->15         started        signatures3 process4 file5 61 C:\Users\user\AppData\Local\Temp\Orden.pdf, PDF 9->61 dropped 89 Maps a DLL or memory area into another process 9->89 17 Solictud_de_cotizacion (3699663-2020).exe 3 9->17         started        20 Solictud_de_cotizacion (3699663-2020).exe 9->20         started        22 AcroRd32.exe 39 9->22         started        24 Host.exe 13->24         started        26 Host.exe 13->26         started        28 Solictud_de_cotizacion (3699663-2020).exe 15->28         started        30 Solictud_de_cotizacion (3699663-2020).exe 15->30         started        signatures6 process7 file8 59 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 17->59 dropped 32 Host.exe 17->32         started        35 Solictud_de_cotizacion (3699663-2020).exe 20->35         started        37 RdrCEF.exe 58 22->37         started        40 AcroRd32.exe 9 6 22->40         started        process9 dnsIp10 71 Contains functionality to log keystrokes 32->71 73 Contains functionality to steal Internet Explorer form passwords 32->73 75 Contains functionality to steal Chrome passwords or cookies 32->75 77 Contains functionality to detect sleep reduction / modifications 32->77 42 Host.exe 3 32->42         started        45 Host.exe 32->45         started        79 Maps a DLL or memory area into another process 35->79 47 Solictud_de_cotizacion (3699663-2020).exe 35->47         started        49 Solictud_de_cotizacion (3699663-2020).exe 35->49         started        65 192.168.2.1 unknown unknown 37->65 51 RdrCEF.exe 37->51         started        53 RdrCEF.exe 37->53         started        55 RdrCEF.exe 37->55         started        57 RdrCEF.exe 37->57         started        signatures11 process12 dnsIp13 67 43.226.229.43, 2030 SOFTLAYERUS Hong Kong 42->67 69 80.0.0.0 NTLGB United Kingdom 51->69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 12:19:06 UTC
AV detection:
38 of 48 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4izotqgwm5yp5dsqizxt3udtcyfi3wxvmxwqhawotfzcnqntmtoq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1254f2a5cf88750e22a29c78e1e316cd034d3763302bfafaea0ceac3fec49e1e
NetWire
1c1035301c27d73a161ca96f9732f5024eb924798ce95d76d274b751ff87aa2f
NetWire
40d8ba1b4ae578829ce958a356395307e27eda0512bc78021ccb93e4b26134f7
NetWire
797a9a105652922546340d44d623196f8f5d22410011156a710bdf4f239a3d40
NetWire
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
NetWire
a9a8374950d68997b782dca8ae2464aa81709c2f51bcc8fdb1abdcfb5b40c521
NetWire
b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa
NetWire
e5b32b4bb73f9bf50a9e4e3236ea3bf54577675b46d98deb142d668e7ea1653a
NetWire
f52c73e9a148074ad2d20b27874e0c183a461f0e21ed09874ef706e464757e2e
NetWire
f6262c14a5f6c845a95cab29a6e1e2a662d5df47499935c1f050d908ee01db90
NetWire
+ 308 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200731-ez5q6kjb1n/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

uue 472bd26e0dec365a75bb00046b1025c75cbddc7cad4eef7c50213c6382f5d063

NetWire

Executable exe e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

(this sample)

  
Dropped by
MD5 297282d787079090bf2d5c8377a09735
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/36502/
  
Dropped by
SHA256 472bd26e0dec365a75bb00046b1025c75cbddc7cad4eef7c50213c6382f5d063

Comments