MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 ee1ae389aa71260288e7ea3986e4d94d59a88ff535fa3d93647ec3da6e84c009. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
NetWire
Vendor detections: 3
| SHA256 hash: | ee1ae389aa71260288e7ea3986e4d94d59a88ff535fa3d93647ec3da6e84c009 |
|---|---|
| SHA3-384 hash: | ae0a6a629e013dbb9f864c5286e5985cd3e662583fd2d851d66ff78ba00e4b917191d7a918cef4646b826d32747f3505 |
| SHA1 hash: | 4a23e7171433f01a1c38a75022c8c7bdaa63d1ca |
| MD5 hash: | 93468b5e05bf23494fc3d98ff6177fce |
| humanhash: | idaho-florida-vegan-cardinal |
| File name: | SHIPPING DOCUMENTS.uue |
| Download: | download sample |
| Signature | NetWire |
| File size: | 485'746 bytes |
| First seen: | 2021-02-07 07:18:04 UTC |
| Last seen: | Never |
| File type: | uue |
| MIME type: | application/x-rar |
| ssdeep | 12288:aD3rpMI0lj70gb0yx4Fo821KLADaKjF9i/Zx2s:OMdPx4H21Ki3i/Zgs |
| TLSH | 1FA423115BCDC6EEB8D0173AB2EBB62818F3747B084C961253D2EC1C38E264477C67A9 |
| Reporter |  abuse_ch |
| Tags: | NetWire RAT uue |
abuse_ch
Malspam distributing NetWire:HELO: aomail1.emirates.net.ae
Sending IP: 195.229.241.85
From: Candy Yang <candyy.yyang@zednzedit.com>
Reply-To: rappinn44@gmail.com
Subject: FW:SHIPPING DOCUMENTS
Attachment: SHIPPING DOCUMENTS.uue (contains "SHIPPING DOCUMENTS.exe")
NetWire RAT C2:
tolatilb.hopto.org:5670 (91.193.75.217)
Pointing to nVpn:
% Information related to '91.193.75.0 - 91.193.75.255'
% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@privacyfirst.sh'
inetnum: 91.193.75.0 - 91.193.75.255
descr: Moscow, Russia
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-RU2
country: RU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
abuse-c: ACRO34258-RIPE
mnt-by: PRIVACYFIRST-MNT
mnt-by: RIPE-NCC-END-MNT
org: ORG-KHd1-RIPE
status: ASSIGNED PI
created: 2012-06-04T11:05:55Z
last-modified: 2021-01-03T20:17:23Z
source: RIPE
sponsoring-org: ORG-MW1-RIPE
Intelligence
File Origin
# of uploads :
1
# of downloads :
346
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
ByteCode-MSIL.Backdoor.Androm
Status:
Malicious
First seen:
2021-02-07 07:18:07 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
5/5
Detection(s):
Malicious file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe Dropping
NetWire
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.