MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4fd1b559d26c6cc80c050d47fae16aca871f04f766029567d78ed1d1cff3497. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	b4fd1b559d26c6cc80c050d47fae16aca871f04f766029567d78ed1d1cff3497
SHA3-384 hash:	b22b5d25079b17cbf99c7907f099d5d9e8d0c01730e48cfdca34763e95ba2c7a1a3a9d7f9d63a6c93bc34823a7af8cc2
SHA1 hash:	6f7dee641baca760c3d1be043e6003f227f016a3
MD5 hash:	856df6ece76715db4b6eb3f28493c96a
humanhash:	queen-pip-avocado-quebec
File name:	b4fd1b559d26c6cc80c050d47fae16aca871f04f766029567d78ed1d1cff3497
Download:	download sample
Signature	NetWire Create hunting rule
File size:	252'416 bytes
First seen:	2020-11-13 15:50:41 UTC
Last seen:	2024-07-24 20:35:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2c18218eed128fc50ed21df0c8227c3b (4 x NetWire, 4 x Tofsee)
ssdeep	3072:RIoHBWS8kqaRJmhO/R6Ul1q3MnnzIzQRJ+G2lz/MdQg7Qkjjjjjjja:RTWS8C+hOA2q8nzqeJ/2J+Qg7QF
TLSH	96349DD076E1C172C293443C1420D2A5253ABC2AEBB4C9A7F7D43F5B2DBD6E116B2356
Reporter	seifreed
Tags:	NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Generic-9784683-0

Win.Packed.Generickdz-9784859-0

Win.Dropper.Tofsee-9785157-0

Win.Packed.Generickdz-9785340-0

Win.Packed.Generickdz-9785864-0

Win.Packed.Emotet-9790742-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Enabling the 'hidden' option for recently created files

Launching the default Windows debugger (dwwin.exe)

Creating a window

DNS request

Connection attempt

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b4fd1b559d26c6cc80c050d47fae16aca871f04f766029567d78ed1d1cff3497/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2020-11-13 15:58:54 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wt6rwvm5e3dmzagakdkh7lqwvsuhd4cpozqcsvt5pdwr2hh7gslq._file

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/201113-baz7lswte2/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Loads dropped DLL

Executes dropped EXE

ServiceHost packer

NetWire RAT payload

Netwire

Unpacked files

SH256 hash:

b4fd1b559d26c6cc80c050d47fae16aca871f04f766029567d78ed1d1cff3497

MD5 hash:

856df6ece76715db4b6eb3f28493c96a

SHA1 hash:

6f7dee641baca760c3d1be043e6003f227f016a3

Link:

https://www.unpac.me/results/0ce43f41-5741-4ca5-8f50-1ea60a873995/

SH256 hash:

fbdbcc653d8e225627a7e7bb649fa9406feb5a2f7316d487ab81c3ccb8f6bf98

MD5 hash:

4bfdf75d0eae0a1df0fa6cfc62951577

SHA1 hash:

469c8d7fdd79854ae7f2785c88b2d544dc69d01e

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/0ce43f41-5741-4ca5-8f50-1ea60a873995/

Parent samples :

93791180662507f4dd25212224d4cea353f33ee38c88658eff1078b96f7bfcb7
953d07a128e1a4f0d85284f228cbee9ea3cd3bd063b8b2646775dc95404d7b57
a1df406845736cfb09a009e68029d221696c2737c513127f9de4985493d2025f
d87f7d09890b145e414a26a250b2341e4d5ee5dd04faf359988988dfcf5f52c9
a0c1f8d3a65e0236068e42f67bccadf3af1f9e97b9d1ae1a4f4f6c98e9fd87af
c1422548aa23ee61a76af545be66bb152d65df911dc3949d66ea3bd4e2ac16e7
b4fd1b559d26c6cc80c050d47fae16aca871f04f766029567d78ed1d1cff3497
80e97bf5afa5364639185a51ee2f39c7a541368d6d32caab197284fd3e4b59eb
5d74709b07b9681993c7827f352f1c8eb75d4067e6b65cb1aa83480e3b694944
e9c3135cdbfbb9e59a1060b94c13913b02173e1f3ec98c0b3f3acaad177061b4

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b4fd1b559d26c6cc80c050d47fae16aca871f04f766029567d78ed1d1cff3497

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Malicious_BAT_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	MAL_unspecified_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects unspecified malware sample
Reference:	Internal Research

Rule name:	netwire Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect netwire in memory
Reference:	internal research

Rule name:	Suspicious_BAT_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample