MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16
SHA3-384 hash:	441cf6e4e36e5efc7ef06946d010a7f90c5e53895628823f922e42ec19a5e967cb49216994308ce048a171ef51ae01b0
SHA1 hash:	ea3d03757c1d1c053abe433a28fedc48eb28a6a1
MD5 hash:	e84685ec0b33fb56abead1aaf166b8ad
humanhash:	steak-hot-december-happy
File name:	Eurobelt RFQ 203345_20200626100122637_PDF.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	580'366 bytes
First seen:	2020-06-26 11:43:00 UTC
Last seen:	2020-06-29 07:23:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep	12288:9crNS33L10QdrXP/X+tGfnF2gqm1BRNWXlLslygCoPk6iS:ANA3R5drXPrfF11nNW1LslygH
Threatray	497 similar samples on MalwareBazaar
TLSH	A4C4F102BAD684B2D1331D325939AB21657CBD701F35CE6FA3D86A6DCA31090A635F73
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

Malspam distributing NetWire:

HELO: mail0.newstarkitz.xyz
Sending IP: 194.187.249.118
From: Eurobelt <admin@newstarkitz.xyz>
Subject: Anmodning om tilbud
Attachment: Eurobelt RFQ 203345_20200626100122637_PDF.r00 (contains "Eurobelt RFQ 203345_20200626100122637_PDF.exe")

NetWire RAT C2:
sydor.tjsosda.com:5536

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Netwire

Link:

https://www.capesandbox.com/analysis/14882/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Running batch commands

Launching a process

Forced system process termination

Deleting a recently created file

Creating a file in the %AppData% subdirectories

Connection attempt to an infection source

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16/

Threat name:

Win32.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2020-06-26 11:44:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=43nw2x4qdg66776hjeteujt4det5z5pluwt6upp3cdnuk63lfila._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

netwire

Score:

10/10

Tags:

botnet stealer family:netwire

Link:

https://tria.ge/reports/200626-psmw8d9y6a/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Executes dropped EXE

Netwire

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

r00 51ffc7a0d345b5b01709f51fb8e6c3dd178fb89adccd7a3aad8cb0d6584f320d

NetWire

exe e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16

(this sample)

Dropped by

MD5 a425430c98ab5080f1f5e5eb24adc809

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/14882/

Dropped by

SHA256 51ffc7a0d345b5b01709f51fb8e6c3dd178fb89adccd7a3aad8cb0d6584f320d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample