MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6c265d43fd926038d77f0caf1773f93c5d684fb2fce4af1f4474982eb494762. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6c265d43fd926038d77f0caf1773f93c5d684fb2fce4af1f4474982eb494762
SHA3-384 hash: 3b26c0e970ef97fbdff2fc8322290d422f3b6ba5742189d9a21d4f4ea5f206f3a8ba197040188e8520e7bcec48a44203
SHA1 hash: 72d883c2425d348df9d74483684d113188806b5b
MD5 hash: 69a2604dc3860929c8794dd92e89b481
humanhash: green-vegan-early-zulu
File name:PURCHASE_FABRICS_APPAREL_100%_COOTON.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'058'456 bytes
First seen:2020-10-21 08:56:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 43f29e85d3150ea9833f321c3be626c8 (9 x ModiLoader, 1 x NetWire, 1 x AveMariaRAT)
ssdeep 12288:ehVKeF40BRicbRToD1whMmvlThTD3mG91gX2jU6vw4fMsdF6eIDk:ehU0RicG6b9T17mG9uX2NwDkF6zDk
Threatray 363 similar samples on MalwareBazaar
TLSH 48355C627290C332D072C6B9CD5EA6787599FE40ED287846F7EC7D4A6F35E81202B247
Reporter abuse_ch
Tags:exe NetWire


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: shamirlensthailand.com
Sending IP: 103.7.56.165
From: Vertex Win Apparel Sourcing <moinul@vertexwin.com>
Subject: HF-LOYAL-201009A-- 100% Cotton Yarn P/O for Kohl's St.Eve 2/25x (Fashion Order); PO# 4035656 - 4035671 (REF# 22-20-57-HU-20
Attachment: PURCHASE_FABRICS_APPAREL_100% COOTON.rar (contains "PURCHASE_FABRICS_APPAREL_100%_COOTON.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73924/
Detection(s):
SecuriteInfo.com.Artemis69A2604DC386.6133.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505498
Signature
Contains functionality to steal Chrome passwords or cookies
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6c265d43fd926038d77f0caf1773f93c5d684fb2fce4af1f4474982eb494762/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 06:17:28 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43bglvb73etahdlx6dfpc5z7spc5nbh3f7hev4pui5eyf22ji5ra._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47
NetWire
23fd501c884e2f46d38af81b0d6e423ea0bff8c5eee615227806faf7b2833827
NetWire
42808813b67b34a144d03a26fb5a9cf6cd59e185e58d73750585654c09242e5b
NetWire
5336d0fb346782de19c1a549e7ced6ca5c73fbcf897ac78d645219ec2033bdb5
NetWire
85c2475f5bb564338727b25d030019e2ec0f08a9892df26024e45339ef3c0792
NetWire
8e3dd0c0c4913e5eb7de42a42bea5c3ff396542ee47737ed9eeb3b5439e95c6b
NetWire
9de5e8e2d7733dfcf568e5b11a95d2468ef905e90169d7a4c93e1909a0372f04
NetWire
b5ee8f5810eb5518c8481f845d0bbbdb3e7e1709baeafc3ef7479affd314e91f
NetWire
cb54cd1dc1efb943d5308d6681f36ecaec957f0a70f9683f1da3e7e1188b9748
NetWire
dc8b1aa91228f69edb8b71fafd9231f6d6d55d50ea17e3a845a3014e419cdb60
NetWire
+ 353 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader botnet stealer family:netwire
Link:
https://tria.ge/reports/201021-s7sbngde1j/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Netwire
Unpacked files
SH256 hash:
e6c265d43fd926038d77f0caf1773f93c5d684fb2fce4af1f4474982eb494762
MD5 hash:
69a2604dc3860929c8794dd92e89b481
SHA1 hash:
72d883c2425d348df9d74483684d113188806b5b
Link:
https://www.unpac.me/results/99673856-b8ee-4278-a638-f351dc4a1617/
SH256 hash:
09d882b9f2ee1b1c4e741148bff6022ad2dc954336f4a0068e74ac44b8c0da90
MD5 hash:
2d396f6b17ced0f5bbe35732b059f39a
SHA1 hash:
f99451819cad0af6dc99df27d3c59ac47c50a2ec
Link:
https://www.unpac.me/results/99673856-b8ee-4278-a638-f351dc4a1617/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar c8b082fe3e966bc82a74debb381450d715f86c395378c1e888fd3c535a1ecdbc

NetWire

Executable exe e6c265d43fd926038d77f0caf1773f93c5d684fb2fce4af1f4474982eb494762

(this sample)

  
Dropped by
MD5 010b80568603eac6032961405d630162
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73924/
  
Dropped by
SHA256 c8b082fe3e966bc82a74debb381450d715f86c395378c1e888fd3c535a1ecdbc

Comments