MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77642de174198cae37f2b0ce29eb087f138800df44a79bd0e589962e9fc64e36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77642de174198cae37f2b0ce29eb087f138800df44a79bd0e589962e9fc64e36
SHA3-384 hash: b4d0c002c1601528f510fb7e115f29fd15ae1f1a2f2ac958a8ece9f4aca71068d19d913b52446901b1b72d302c455afc
SHA1 hash: 0754d2176df167f3e46d397f87ca3834cd89dee7
MD5 hash: 8a522b7dfd76a91312ea31b4e827b4a0
humanhash: mockingbird-autumn-vermont-william
File name:Fw_CONFIRMATION_OF_BALANCES-AP20.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:487'936 bytes
First seen:2020-05-16 12:12:18 UTC
Last seen:2020-05-18 13:05:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:pyUezhtUS765hBPiC0Kd/qfTNHL2WqZ3vjiP:jgOS767BPiCVChHfqo
Threatray 1'162 similar samples on MalwareBazaar
TLSH 68A4BE5B732DE9C7E6280AF54D29C70893306D2A2BD5E2C66CC229ED17E9FC27D01D46
Reporter jarumlus
Tags:NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-15 20:57:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5sc3yludggk4n7swdhct2yip4jyqag7istzxuhfrglc5h6gjy3a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
25e771e8b6b57f62a9605ee7b12f43cd3c0298e129fb4c9d4921a06c326f82bc
NetWire
4b110258d8a90160fd07abfd441805de6b8e1cb646c0734febd7de606ca5a4e4
NetWire
54cd2f165cdc6bc4fcc50fce8da1206b5c1bfedb442d2a000e965019d379a719
NetWire
6574309e9e7c496936683f6375b8ae940039249fb2b550d55ca914ea0daabf8f
NetWire
786be13603b06cce80fac1349c514e29ecd2664a51f045bc5446d2f9647087ec
NetWire
78dc559f3c971bf8fe5eb3f669a3b8de8c18313d2c466916fc32fd27ea352700
NetWire
8d339c015c4ffe14cd28f423625d45313081c61585ced94f822c7759a7226086
NetWire
91236da59c95dd764f85a84297238f215ef0cd3d0fbc37f2a2f15d2f302e2dfd
NetWire
aba4802ec9d322f223f22b73f41bbb77d7b6066d18c8b53571e50a9c97e727fa
NetWire
f0996fd1f27a193c71c2384d7a760b3db419a52033707d10f55283c9d2ea147f
NetWire
+ 1'152 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/201109-2qsye7cmde/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

5efb8d353b44f156df9373847752ec33be70c6413795705c8b368a7d9b72064b

NetWire

Executable exe 77642de174198cae37f2b0ce29eb087f138800df44a79bd0e589962e9fc64e36

(this sample)

  
Dropped by
MD5 a2556bb9a23fb3cfd94f738537c1a788
  
Dropped by
SHA256 5efb8d353b44f156df9373847752ec33be70c6413795705c8b368a7d9b72064b
  
Dropped by
NetWire
  
Delivery method
Distributed via e-mail attachment

Comments