MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0c1f8d3a65e0236068e42f67bccadf3af1f9e97b9d1ae1a4f4f6c98e9fd87af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	a0c1f8d3a65e0236068e42f67bccadf3af1f9e97b9d1ae1a4f4f6c98e9fd87af
SHA3-384 hash:	f53b8cdaa40a4d6d86eaa15d239e4e1aa8d58c19c044b27bdedf6ecbd33a23bed11a79c3cd443f3f89f128b2ed8e0817
SHA1 hash:	f6918a09f7280624e1e50d8c77e3495401379bff
MD5 hash:	60b5e2752c5236c92a2c59261e729b01
humanhash:	massachusetts-stream-ink-six
File name:	a0c1f8d3a65e0236068e42f67bccadf3af1f9e97b9d1ae1a4f4f6c98e9fd87af
Download:	download sample
Signature	NetWire Create hunting rule
File size:	252'416 bytes
First seen:	2020-11-11 11:09:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4d56d026a5673c851925519de2f118e8 (8 x NetWire)
ssdeep	3072:2jwvNDTh6lpp0BMZRQNTXUd4QTabgkVF/cP0YIfVjjjjjjja:2ctc4e414Tabg4cP0VQ
Threatray	304 similar samples on MalwareBazaar
TLSH	1E349D10B2E1D572C093483C4464E2B1D236BC26E9B4DA8777E42FCB3EB13E15AB6756
Reporter	seifreed
Tags:	NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

168

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Generic-9784683-0

Win.Packed.Generickdz-9784859-0

Win.Dropper.Tofsee-9785157-0

Win.Packed.Generickdz-9785340-0

Win.Packed.Generickdz-9785864-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Enabling the 'hidden' option for recently created files

Launching the default Windows debugger (dwwin.exe)

Creating a window

DNS request

Connection attempt

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a0c1f8d3a65e0236068e42f67bccadf3af1f9e97b9d1ae1a4f4f6c98e9fd87af/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2020-11-11 11:11:06 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uda7ru5glybdmbuoil3hxtfn6oxr7huxxhi24gspj5wjr2p5q6xq._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/201111-b1tnqezv32/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Loads dropped DLL

Executes dropped EXE

ServiceHost packer

NetWire RAT payload

Netwire

Unpacked files

SH256 hash:

fbdbcc653d8e225627a7e7bb649fa9406feb5a2f7316d487ab81c3ccb8f6bf98

MD5 hash:

4bfdf75d0eae0a1df0fa6cfc62951577

SHA1 hash:

469c8d7fdd79854ae7f2785c88b2d544dc69d01e

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/8c0d5459-e3ae-4296-82d5-36ce73a4ebf8/

Parent samples :

93791180662507f4dd25212224d4cea353f33ee38c88658eff1078b96f7bfcb7
953d07a128e1a4f0d85284f228cbee9ea3cd3bd063b8b2646775dc95404d7b57
a1df406845736cfb09a009e68029d221696c2737c513127f9de4985493d2025f
d87f7d09890b145e414a26a250b2341e4d5ee5dd04faf359988988dfcf5f52c9
a0c1f8d3a65e0236068e42f67bccadf3af1f9e97b9d1ae1a4f4f6c98e9fd87af
c1422548aa23ee61a76af545be66bb152d65df911dc3949d66ea3bd4e2ac16e7
b4fd1b559d26c6cc80c050d47fae16aca871f04f766029567d78ed1d1cff3497
80e97bf5afa5364639185a51ee2f39c7a541368d6d32caab197284fd3e4b59eb
5d74709b07b9681993c7827f352f1c8eb75d4067e6b65cb1aa83480e3b694944
e9c3135cdbfbb9e59a1060b94c13913b02173e1f3ec98c0b3f3acaad177061b4

SH256 hash:

a0c1f8d3a65e0236068e42f67bccadf3af1f9e97b9d1ae1a4f4f6c98e9fd87af

MD5 hash:

60b5e2752c5236c92a2c59261e729b01

SHA1 hash:

f6918a09f7280624e1e50d8c77e3495401379bff

Link:

https://www.unpac.me/results/8c0d5459-e3ae-4296-82d5-36ce73a4ebf8/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Malicious_BAT_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	MAL_unspecified_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects unspecified malware sample
Reference:	Internal Research

Rule name:	netwire Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect netwire in memory
Reference:	internal research

Rule name:	Suspicious_BAT_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample