MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d74709b07b9681993c7827f352f1c8eb75d4067e6b65cb1aa83480e3b694944. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d74709b07b9681993c7827f352f1c8eb75d4067e6b65cb1aa83480e3b694944
SHA3-384 hash: c5d14ef57bc9fae184297282fcde292007c2667912377a5ea806bda9400da011132d141292d30592636f54a97c9d50ae
SHA1 hash: ce1a42bfd376a6531ea145db13ecdd8c8811635c
MD5 hash: b483e9da3607a0f6ba9ef592ec59f54c
humanhash: august-carolina-kentucky-december
File name:5d74709b07b9681993c7827f352f1c8eb75d4067e6b65cb1aa83480e3b694944
Download: download sample
Signature NetWire
Create hunting rule
File size:252'416 bytes
First seen:2020-11-15 23:13:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d56d026a5673c851925519de2f118e8 (8 x NetWire)
ssdeep 3072:2jIvNbC73lVH7MZRQNTXUd4QTabgkVF/cP0YIfVjjjjjjja:2so/o414Tabg4cP0VQ
Threatray 314 similar samples on MalwareBazaar
TLSH B5348C10B2E1D572C093483C4465E2B0D236BC26E9B4DA8777E42FCB3EB17E15AB2756
Reporter seifreed
Tags:NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-9784683-0
Create hunting rule

Win.Packed.Generickdz-9784859-0
Create hunting rule

Win.Dropper.Tofsee-9785157-0
Create hunting rule

Win.Packed.Generickdz-9785340-0
Create hunting rule

Win.Packed.Generickdz-9785864-0
Create hunting rule

Win.Packed.Emotet-9790742-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
DNS request
Launching the default Windows debugger (dwwin.exe)
Creating a window
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Netwire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/537161
Signature
Contains functionality to log keystrokes
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d74709b07b9681993c7827f352f1c8eb75d4067e6b65cb1aa83480e3b694944/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:17:22 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lv2hbgyhxfubte6hqj7tkly4r23v2qdh423fzmnkqnea4o3jjfca._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
18e249edf52744fa58fd5b3f0f9c205ced077ac05bc7d9bb7e17a32edcb60a5c
NetWire
587e944c881d0e37982142ea1e15476b7bdcd6cdb7540a7b15899a5b196902d0
NetWire
96a55e86b6b4d7ddfe80b096de08f57f7e8c417b2cb7dcf65a0c83aa32ed29dc
NetWire
a0c1f8d3a65e0236068e42f67bccadf3af1f9e97b9d1ae1a4f4f6c98e9fd87af
NetWire
a85548009bbec56b17396c5c5816aff76055f6f0f2b8bd3a2e497f294eed8675
NetWire
b19739ad003d5bbd5f2fcc99f0d19d22cb389ae78ca81f31472cff469e53cf2c
NetWire
d488a34718cf2db560dd4c62ccb5fac527cc192716c2d166a71f98abd384aba6
NetWire
d7a126026d6a8942b59776eb07f522ef2c709ba079713cbcfcec893463ab1183
NetWire
e74e35935d5ca8f98991689ed3524544e478a923a9212c87ec6c7c1bae67ec7c
NetWire
fd8c00e758edcccf92d7fd762a646e9be248d0a7c20701904dacd736163ccb20
NetWire
+ 304 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/201115-mt6maly3z6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Loads dropped DLL
Executes dropped EXE
ServiceHost packer
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
5d74709b07b9681993c7827f352f1c8eb75d4067e6b65cb1aa83480e3b694944
MD5 hash:
b483e9da3607a0f6ba9ef592ec59f54c
SHA1 hash:
ce1a42bfd376a6531ea145db13ecdd8c8811635c
Link:
https://www.unpac.me/results/0d0a78b5-8bf3-4040-b39a-0cae1420f762/
SH256 hash:
fbdbcc653d8e225627a7e7bb649fa9406feb5a2f7316d487ab81c3ccb8f6bf98
MD5 hash:
4bfdf75d0eae0a1df0fa6cfc62951577
SHA1 hash:
469c8d7fdd79854ae7f2785c88b2d544dc69d01e
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/0d0a78b5-8bf3-4040-b39a-0cae1420f762/
Parent samples :
93791180662507f4dd25212224d4cea353f33ee38c88658eff1078b96f7bfcb7
953d07a128e1a4f0d85284f228cbee9ea3cd3bd063b8b2646775dc95404d7b57
a1df406845736cfb09a009e68029d221696c2737c513127f9de4985493d2025f
d87f7d09890b145e414a26a250b2341e4d5ee5dd04faf359988988dfcf5f52c9
a0c1f8d3a65e0236068e42f67bccadf3af1f9e97b9d1ae1a4f4f6c98e9fd87af
c1422548aa23ee61a76af545be66bb152d65df911dc3949d66ea3bd4e2ac16e7
b4fd1b559d26c6cc80c050d47fae16aca871f04f766029567d78ed1d1cff3497
80e97bf5afa5364639185a51ee2f39c7a541368d6d32caab197284fd3e4b59eb
5d74709b07b9681993c7827f352f1c8eb75d4067e6b65cb1aa83480e3b694944
e9c3135cdbfbb9e59a1060b94c13913b02173e1f3ec98c0b3f3acaad177061b4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d74709b07b9681993c7827f352f1c8eb75d4067e6b65cb1aa83480e3b694944

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments