MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7a126026d6a8942b59776eb07f522ef2c709ba079713cbcfcec893463ab1183. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7a126026d6a8942b59776eb07f522ef2c709ba079713cbcfcec893463ab1183
SHA3-384 hash: a477acd4ff169a4e3da60a65f5c311470b7636440d09e07580e9444c2ea1b2032060944181f7cf324b9ea7c0fa98a412
SHA1 hash: 5fd67c299e2c1eb45010047a846b4ced7781b0e0
MD5 hash: 18b1019ea979ebd886d3a81f3dc64fa1
humanhash: north-magnesium-violet-winter
File name:Quote10152020.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'540'096 bytes
First seen:2020-10-16 12:52:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:zAHnh+eWsN3skA4RV1Hom2KXMmHa2d8ii+3bTn4bWSimNe6FgMSvNFZVXy5:+h+ZkldoPK8Ya2Kit3bTn+y6FJSvNFY
Threatray 1'078 similar samples on MalwareBazaar
TLSH 3C65CF027385C066FE9791B35F6EF21056BC7D694133C51F23842E3AB9B1262227E76B
Reporter abuse_ch
Tags:exe NetWire


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ns1.24x7server.net
Sending IP: 103.241.181.138
From: Sonya McNett <sales@sudhirswitchgears.com>
Reply-To: Sonya McNett <norhouesmktg@aol.com>
Subject: Quote for invoice
Attachment: Quote10152020.iso (contains "Quote10152020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72017/
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AutoIT-3.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.EmbeddedEXE-5.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/493631
Signature
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to steal Chrome passwords or cookies
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299272 Sample: Quote10152020.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 80 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected NetWire RAT 2->30 32 Sigma detected: NetWire 2->32 34 2 other signatures 2->34 6 Quote10152020.exe 2->6         started        9 Quote10152020.exe 2->9         started        11 Quote10152020.exe 2->11         started        process3 signatures4 36 Binary is likely a compiled AutoIt script file 6->36 38 Contains functionality to steal Chrome passwords or cookies 6->38 40 Maps a DLL or memory area into another process 6->40 13 Quote10152020.exe 3 6->13         started        16 Quote10152020.exe 9->16         started        18 Quote10152020.exe 9->18         started        20 Quote10152020.exe 9->20         started        24 2 other processes 9->24 22 Quote10152020.exe 11->22         started        process5 dnsIp6 26 80.85.157.253, 1077, 49722 CHELYABINSK-SIGNAL-ASRU Russian Federation 13->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7a126026d6a8942b59776eb07f522ef2c709ba079713cbcfcec893463ab1183/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 22:30:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=26qsmatnnkeufnmxo3vqp5jc54whbg5apfytzph45setiy5lcgbq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1c1035301c27d73a161ca96f9732f5024eb924798ce95d76d274b751ff87aa2f
NetWire
5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca
NetWire
5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4
NetWire
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
NetWire
96a55e86b6b4d7ddfe80b096de08f57f7e8c417b2cb7dcf65a0c83aa32ed29dc
NetWire
a9a8374950d68997b782dca8ae2464aa81709c2f51bcc8fdb1abdcfb5b40c521
NetWire
c2382986d2bacaacd5399abca6ba33ee39fec2e9f331b8493a7511bc23578adc
NetWire
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
NetWire
e5b32b4bb73f9bf50a9e4e3236ea3bf54577675b46d98deb142d668e7ea1653a
NetWire
f6262c14a5f6c845a95cab29a6e1e2a662d5df47499935c1f050d908ee01db90
NetWire
+ 1'068 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat persistence botnet stealer family:netwire
Link:
https://tria.ge/reports/201016-6twka5htzn/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
d7a126026d6a8942b59776eb07f522ef2c709ba079713cbcfcec893463ab1183
MD5 hash:
18b1019ea979ebd886d3a81f3dc64fa1
SHA1 hash:
5fd67c299e2c1eb45010047a846b4ced7781b0e0
Link:
https://www.unpac.me/results/c0eeed65-31fc-4180-baae-96bc3e2c2ff3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d7a126026d6a8942b59776eb07f522ef2c709ba079713cbcfcec893463ab1183

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

iso 8ce823ae764e4237f595bfc71b346b9d708ef765ddae5aea64221cae832bf3f3

NetWire

Executable exe d7a126026d6a8942b59776eb07f522ef2c709ba079713cbcfcec893463ab1183

(this sample)

  
Dropped by
MD5 9ad9465be70e2b0b7e7c67a89aa0fb12
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72017/
  
Dropped by
SHA256 8ce823ae764e4237f595bfc71b346b9d708ef765ddae5aea64221cae832bf3f3

Comments