MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f44f6fbfc891bec5aaece28be3e010289e8c067389863110a9ea493c175a342e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	f44f6fbfc891bec5aaece28be3e010289e8c067389863110a9ea493c175a342e
SHA3-384 hash:	b119d428d72709b70d76dfa739f68f662ceee1fe91287399d6ff61e1ee4123a0acb9ec72ab65c2763ea7e76b522ee672
SHA1 hash:	da42cdb3d86820ff266984d8f45aa21e834f9f53
MD5 hash:	f77b620842bd1cbaf61adb1b85c6c31b
humanhash:	floor-berlin-floor-idaho
File name:	SV38848934334.7z
Download:	download sample
Signature	NetWire Create hunting rule
File size:	898'444 bytes
First seen:	2022-08-03 08:25:53 UTC
Last seen:	2022-08-03 08:29:25 UTC
File type:	7z
MIME type:	application/x-7z-compressed
ssdeep	12288:PSNPKCyalo5qfZQSPo77Qw62fGceq9u7gr71IzlsEfpl69uUDatR2OrU:aNvuUfZ+7QwXuP8Ogm5LEyU
TLSH	T1B41533CB42A63D22DADF6D72E8B2524CF453D7F18E7E9801C0EEDB821954DAD490CB52
TrID	57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1) 42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter	cocaman
Tags:	7z NetWire

cocaman

Malicious email (T1566.001)
From: ""Elyna Belleau" <best@doorrackpainter.com>" (likely spoofed)
Received: "from 5266108.doorrackpainter.com (5266108.doorrackpainter.com [162.240.1.83]) "
Date: "2 Aug 2022 23:35:14 -0700"
Subject: "Ci-joint copie du paiement"
Attachment: "SV38848934334.7z"

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.22411.25872.1579.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62ea3159bcf76fcb6cdf9cd8/reports/3356351e-54f9-4d01-812f-a1ba94d060c3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f44f6fbfc891bec5aaece28be3e010289e8c067389863110a9ea493c175a342e/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-08-03 05:43:14 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

18 of 40 (45.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6rhw7p6isg7mlkxm4kf6hyaqfcpiybttrgddcefj5jetyf22gqxa._file

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220803-kbvbyshah4/

Behaviour

Creates scheduled task(s)

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

xman2.duckdns.org:4433

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f44f6fbfc891bec5aaece28be3e010289e8c067389863110a9ea493c175a342e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

7z f44f6fbfc891bec5aaece28be3e010289e8c067389863110a9ea493c175a342e

(this sample)

NetWire

exe a1bc1aba176e99f0531b911a04d6c636ef21dab12d24026c672829d0c624e16e

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 a1bc1aba176e99f0531b911a04d6c636ef21dab12d24026c672829d0c624e16e

Dropping

NetWire

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample