MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbe205332c200214aa7188070687ad6db3e2e189dc81b826dd0bf39b638f9005. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbe205332c200214aa7188070687ad6db3e2e189dc81b826dd0bf39b638f9005
SHA3-384 hash: 09fd795f231bd3019b732e6710dbb801dfcbbdfecb88461d2e8438590922a11779fb197779aa3d3e3314b2c941e1deca
SHA1 hash: 76196bdd22a5163d19ef9fe66c4b2507617a5b64
MD5 hash: 3e5a74dfcc88a7465a4ffa5623fb8534
humanhash: double-beryllium-wyoming-sink
File name:3e5a74dfcc88a7465a4ffa5623fb8534.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:33'792 bytes
First seen:2021-02-03 18:49:03 UTC
Last seen:2021-02-03 21:01:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:k9Q+kV7HclxutTUe9q6mjzcNRyfdU03dA3:kS+k6GxizqRyfdU0y3
Threatray 7 similar samples on MalwareBazaar
TLSH 01E2C78D76EC7059E1A61FB20912F6B1762DAA319C50CC097046D20EEEC15FB6CC9EE7
Reporter abuse_ch
Tags:exe NetWire RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SEALON doc_03022020.doc
Verdict:
Malicious activity
Analysis date:
2021-02-03 07:22:53 UTC
Tags:
trojan exploit CVE-2017-11882 loader rat netwire
Link:
https://app.any.run/tasks/c59873a1-7452-4f09-bc24-1d92f5f11b61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115440/
Detection(s):
SecuriteInfo.com.Variant.Bulz.339626.15555.10364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/598381
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbe205332c200214aa7188070687ad6db3e2e189dc81b826dd0bf39b638f9005/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-02-03 07:59:28 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7prakmzmeabbjktrradqnb5nnwz6fymj3sa3qjw5bpzzwy4psacq._file
Verdict:
unknown
Similar samples:
1c11ae71070f0d464e20f92b83a0e029dde16271703c329314c78423bcbe8b70
NetWire
2acded4635676811aa81729461214aaa27994e81da6420d4809d6dec5a56c54c
NetWire
982b3cdebd14819f1ba24db87d3cde7582c1e72b56540763cc86dcc4c74f5de8
NetWire
befc201977528c9d3362acfd8fecb519753e277d98a97273cb6a6cfbfafaf8c0
NetWire
e124d3e9087bcb39d6a8d6cf108de81271501f04ddd1d091b4795087a27f4f69
NetWire
e1c09e3ed04823f7a5307ae130f9c5259eae64aa5d37576818aefd766bec13e8
NetWire
f7c779d5d3483c74f637ad8275802bacd163c29f25ac25cd57c1df7efa98d278
NetWire
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210203-55f2ks9vva/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
fbe205332c200214aa7188070687ad6db3e2e189dc81b826dd0bf39b638f9005
MD5 hash:
3e5a74dfcc88a7465a4ffa5623fb8534
SHA1 hash:
76196bdd22a5163d19ef9fe66c4b2507617a5b64
Link:
https://www.unpac.me/results/15122320-d834-412a-b672-64e56bf03a0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/fbe205332c200214aa7188070687ad6db3e2e189dc81b826dd0bf39b638f9005

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe fbe205332c200214aa7188070687ad6db3e2e189dc81b826dd0bf39b638f9005

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/978554/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115440/

Comments