MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d586b05bf8ae586060343c9dc3b33b82d463e177ae92dd242de1a72946e4b13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d586b05bf8ae586060343c9dc3b33b82d463e177ae92dd242de1a72946e4b13
SHA3-384 hash: f07e81f004ee9d6069d7ae97a6515ec274d80410eaa06cd153f1a735afdd827b0f3a124f4dc0628dc6b5060b7dd3647e
SHA1 hash: 012a12fddee7ed7c9a0e5df786af8a5a4cc9087b
MD5 hash: 535c9fd606aa987e234792a9d0bb41b7
humanhash: high-twenty-cup-green
File name:INV9938483.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'024'000 bytes
First seen:2020-07-16 01:04:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:opeJDJIvvde9nJYxDJIvvde9nJYd9ZHyKRrd6PAe3IZ/gYo:nIv0nJYDIv0nJYJJFYPvYZ4f
Threatray 1'758 similar samples on MalwareBazaar
TLSH BA253A8211451279E168F0FAE606109AEA05EC3EE1E069B27679FB16C474E73CDC5FEC
Reporter jarumlus
Tags:NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26288/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Connection attempt to an infection source
Enabling autorun with Startup directory
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3d586b05bf8ae586060343c9dc3b33b82d463e177ae92dd242de1a72946e4b13/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-07-15 19:13:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvmgwbn7rlsymbqdipe5yoztxawumpqxplus3usc3ynhffdojmjq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47
NetWire
23fd501c884e2f46d38af81b0d6e423ea0bff8c5eee615227806faf7b2833827
NetWire
5336d0fb346782de19c1a549e7ced6ca5c73fbcf897ac78d645219ec2033bdb5
NetWire
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72
NetWire
aa7433f4fd0ef15eed9c75d0e37a849909f7661b4d30063cff58879287fd2358
NetWire
b156f7eea25bfef26649faaeec108d9956479396f3f684fc257e379f305ccbdc
NetWire
b5ee8f5810eb5518c8481f845d0bbbdb3e7e1709baeafc3ef7479affd314e91f
NetWire
c51d4fc5a8422271d20c83380f1cb646a19ca48c6bd4e509b29579d01bd8ea68
NetWire
cb54cd1dc1efb943d5308d6681f36ecaec957f0a70f9683f1da3e7e1188b9748
NetWire
ccd667e3a1a0577ed841968990cb37790e1e6f0fb4ceb1a2f947ef391d68dd4d
NetWire
+ 1'748 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire
Link:
https://tria.ge/reports/200716-ae9ltezxzn/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

7z d3da5a40330a85a499e5706593908906f2e2df166d713fef626737c3a4472b6c

NetWire

Executable exe 3d586b05bf8ae586060343c9dc3b33b82d463e177ae92dd242de1a72946e4b13

(this sample)

  
Dropped by
MD5 5a8a759da9cde54f967c21f7e32eee98
  
Dropped by
SHA256 d3da5a40330a85a499e5706593908906f2e2df166d713fef626737c3a4472b6c
  
Dropped by
NetWire
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26288/

Comments