MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4c03a586a45002f55d3a528c06ba868a1c40ed19e40c7e84c6f8b76a7c745ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4c03a586a45002f55d3a528c06ba868a1c40ed19e40c7e84c6f8b76a7c745ca
SHA3-384 hash: 1809e5a1d6d7eaa144951aed24f990e044a92ab974b3a375d619ccf45d53b81ac0d2c1144656a3271d9a8d35f62b1321
SHA1 hash: 52cca23b472007ba2ceb2de556a6e134ea260406
MD5 hash: 076980d2e42d08945f3601993b0217bc
humanhash: fish-hydrogen-football-delaware
File name:d81636a8bb3c86c4476711cf801e15e1.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:130'560 bytes
First seen:2020-03-28 17:08:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3552255b0308f758d071474baf31cb31 (28 x NetWire)
ssdeep 3072:yb3RWhfmSbEsz7nD/x0dZTGvd+PACdEDXJS6eb5Viz7wRE5L7:OIhfmSosz7nD/qvCdSdEDk6eb5VizsRU
Threatray 50 similar samples on MalwareBazaar
TLSH 36D31A04EE87A0F2FE0B4C70A5CBFBFF46295605C224DEB2EFA46D82EA13D55110A755
Reporter abuse_ch
Tags:exe GuLoader NetWire


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://hoayeuthuong-my.sharepoint.com/:u:/p/ketoan/EfnD_rdevgVJmoX4EILxp5wBtTUtqxQ8H5mRTLAIo44ypQ?e=ZBNPel&download=1

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence

File information

The table below shows additional information about this malware sample such as delivery method and external references.

dc95b5e5a554f7aca614d4a6a3d608ef8e15f117a6ab9fbd12db736b5de70ce5

NetWire

Executable exe e4c03a586a45002f55d3a528c06ba868a1c40ed19e40c7e84c6f8b76a7c745ca

(this sample)

  
Dropped by
MD5 d81636a8bb3c86c4476711cf801e15e1
  
Dropped by
MD5 c1ddf6c631e6e5b21322f45bf00a037f
  
Dropped by
GuLoader
  
Dropped by
SHA256 dc95b5e5a554f7aca614d4a6a3d608ef8e15f117a6ab9fbd12db736b5de70ce5
  
Dropped by
SHA256 18ec63c5a0c9f23a93fbd510d05f2ad423cf2df95a1d54eb885c2cf226c37c9d
  
URLhaus
https://urlhaus.abuse.ch/url/331495/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
DP_APIUses DP APICRYPT32.DLL::CryptUnprotectData
SHELL_APIManipulates System ShellSHELL32.DLL::ShellExecuteA
SHELL32.DLL::SHFileOperationA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.DLL::CryptAcquireContextA
ADVAPI32.DLL::CryptCreateHash
ADVAPI32.DLL::CryptGetHashParam
ADVAPI32.DLL::CryptHashData
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegCreateKeyExA
ADVAPI32.DLL::RegDeleteKeyA
ADVAPI32.DLL::RegOpenKeyExA
ADVAPI32.DLL::RegQueryValueExA
ADVAPI32.DLL::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::closesocket
WS2_32.dll::connect
WS2_32.dll::gethostbyname
WS2_32.dll::gethostname
WS2_32.dll::htons
WS2_32.dll::inet_ntoa
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA

Comments