MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 2 Comments

SHA256 hash: e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
SHA3-384 hash: cfdbe6f62161465080b9753f6b88862d527a5552b28e48d67ceadfd09ee43d26930f9a29665eb3464396bf500f46d83f
SHA1 hash: ed4e974775f050e65233116fdbb28921618fceb7
MD5 hash: 748e4a49b7e306d7eb45aaa7b10faf5d
humanhash: single-magazine-october-six
File name:Solictud_de_cotizacion (3699663-2020).exe
Download: download sample
Signature NetWire
File size:566'272 bytes
First seen:2020-07-31 12:17:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c458ff2d515beb8f44158cd3636a7400
ssdeep 12288:+zNIO6A3MZJOdZbsEpxHR/FgdXIlOQZbIg5AprZp/Ex4wB1dpVZVY:+hL908Zbpx/FEXIrkg5oNp/Czb
TLSH 81C423E1C316D00EF4B6A974C63022D23509549D2E6D7C686EC3EB6B7D3FBD154A284B
Reporter @abuse_ch
Tags:exe NetWire RAT t-online


Twitter
@abuse_ch
Malspam distributing NetWire:

HELO: mailout10.t-online.de
Sending IP: 194.25.134.21
From: Jimena Espinoza | NACOLPERU <Zahnarztpraxis-Kugler@t-online.de>
Reply-To: jsntfxqvip.163@gmail.com <jsntfxqvip.163@gmail.com>
Subject: Nuevo orden (NACOL S.A.) Julio / Agosto
Attachment: Solictud_de_cotizacion 3699663-2020.uue (contains "Solictud_de_cotizacion (3699663-2020).exe")

Intelligence


File Origin
# of uploads :
1
# of downloads :
40
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Gathering data
Result
Threat name:
NetWire
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sigma detected: NetWire
Yara detected NetWire RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255376 Sample: Solictud_de_cotizacion (369... Startdate: 31/07/2020 Architecture: WINDOWS Score: 88 63 g.msn.com 2->63 81 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->81 83 Yara detected NetWire RAT 2->83 85 Sigma detected: NetWire 2->85 87 5 other signatures 2->87 9 Solictud_de_cotizacion (3699663-2020).exe 3 2 2->9         started        13 Host.exe 2->13         started        15 Solictud_de_cotizacion (3699663-2020).exe 2->15         started        signatures3 process4 file5 61 C:\Users\user\AppData\Local\Temp\Orden.pdf, PDF 9->61 dropped 89 Maps a DLL or memory area into another process 9->89 17 Solictud_de_cotizacion (3699663-2020).exe 3 9->17         started        20 Solictud_de_cotizacion (3699663-2020).exe 9->20         started        22 AcroRd32.exe 39 9->22         started        24 Host.exe 13->24         started        26 Host.exe 13->26         started        28 Solictud_de_cotizacion (3699663-2020).exe 15->28         started        30 Solictud_de_cotizacion (3699663-2020).exe 15->30         started        signatures6 process7 file8 59 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 17->59 dropped 32 Host.exe 17->32         started        35 Solictud_de_cotizacion (3699663-2020).exe 20->35         started        37 RdrCEF.exe 58 22->37         started        40 AcroRd32.exe 9 6 22->40         started        process9 dnsIp10 71 Contains functionality to log keystrokes 32->71 73 Contains functionality to steal Internet Explorer form passwords 32->73 75 Contains functionality to steal Chrome passwords or cookies 32->75 77 Contains functionality to detect sleep reduction / modifications 32->77 42 Host.exe 3 32->42         started        45 Host.exe 32->45         started        79 Maps a DLL or memory area into another process 35->79 47 Solictud_de_cotizacion (3699663-2020).exe 35->47         started        49 Solictud_de_cotizacion (3699663-2020).exe 35->49         started        65 192.168.2.1 unknown unknown 37->65 51 RdrCEF.exe 37->51         started        53 RdrCEF.exe 37->53         started        55 RdrCEF.exe 37->55         started        57 RdrCEF.exe 37->57         started        signatures11 process12 dnsIp13 67 43.226.229.43, 2030 SOFTLAYERUS Hong Kong 42->67 69 80.0.0.0 NTLGB United Kingdom 51->69
Threat name:
Win32.Trojan.DataStealer
Status:
Malicious
First seen:
2020-07-31 12:19:06 UTC
AV detection:
24 of 31 (77.42%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Behaviour
UPX packed file
Threat name:
Barys
Score:
1.00

Yara Signatures


Rule name:suspicious_packer_section
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_netwire_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments