MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7a6e48e93a3d286568161e52e0aaeb945de463505fdc572012148272b6b41ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7a6e48e93a3d286568161e52e0aaeb945de463505fdc572012148272b6b41ec
SHA3-384 hash: e1cfdcd8d3e321bc900ce91bb0355e6ba6c90ce0843dba1687abe3b13295b2253ccdbc965c7887e65728f2210dfefc46
SHA1 hash: 4feda63173d94f6d423f2e45901fa9cad3f579ad
MD5 hash: 7429c38e3022a2677d7f6350b6cf261b
humanhash: freddie-hydrogen-oregon-ohio
File name:e7a6e48e93a3d286568161e52e0aaeb945de463505fdc.dll
Download: download sample
Signature NetWire
Create hunting rule
File size:57'348 bytes
First seen:2021-03-22 09:14:11 UTC
Last seen:2021-03-22 10:45:59 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 37dff82dbc0a01d6a9e596664712c05e (2 x NetWire)
ssdeep 768:EHmfSO1BZEEhr6x/mbYyp6CHUBRfOIjTPAubo+2Zrey8W13rEDdunKsrN4RPZc6:io9SkOx/OfYC0BRf7TrM+QrC4Fj4FZZ
Threatray 11 similar samples on MalwareBazaar
TLSH A9439D5073A1D07AE66A55342836E6A21E2F3980BBF0448B3FD516ED5FB11C0F93932B
Reporter abuse_ch
Tags:dll NetWire RAT


Avatar
abuse_ch
NetWire C2:
185.208.158.210:8523

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.208.158.210:8523 https://threatfox.abuse.ch/ioc/4373/

Intelligence

File Origin
# of uploads :
2
# of downloads :
400
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125870/
Detection(s):
SecuriteInfo.com.Variant.Bulz.402749.18523.3816.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/647559
Signature
Allocates memory in foreign processes
Drops executable to a common third party application directory
Hijacks the control flow in another process
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses tracert.exe to detect the network architecture
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 372744 Sample: e7a6e48e93a3d286568161e52e0... Startdate: 22/03/2021 Architecture: WINDOWS Score: 76 74 ipv4.imgur.map.fastly.net 2->74 76 i.imgur.com 2->76 96 Multi AV Scanner detection for submitted file 2->96 98 Machine Learning detection for sample 2->98 11 loaddll32.exe 1 2->11         started        13 openvpn-gui.exe 2->13         started        15 openvpn-gui.exe 2->15         started        signatures3 process4 process5 17 rundll32.exe 11->17         started        20 cmd.exe 1 11->20         started        22 rundll32.exe 11->22         started        24 rundll32.exe 11->24         started        signatures6 86 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->86 88 Hijacks the control flow in another process 17->88 90 Uses tracert.exe to detect the network architecture 17->90 26 TRACERT.EXE 21 17->26         started        31 rundll32.exe 20->31         started        92 Writes to foreign memory regions 22->92 94 Allocates memory in foreign processes 22->94 33 TRACERT.EXE 16 22->33         started        35 TRACERT.EXE 16 24->35         started        process7 dnsIp8 82 i.ibb.co 146.59.152.166, 443, 49703, 49704 OVHFR Norway 26->82 70 C:\Users\user\AppData\...\openvpn-gui.exe, PE32 26->70 dropped 72 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 26->72 dropped 100 Drops executable to a common third party application directory 26->100 37 cmd.exe 26->37         started        39 conhost.exe 26->39         started        102 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->102 104 Hijacks the control flow in another process 31->104 106 Writes to foreign memory regions 31->106 108 Allocates memory in foreign processes 31->108 41 TRACERT.EXE 15 31->41         started        84 145.239.131.55, 443, 49706 OVHFR France 33->84 44 cmd.exe 33->44         started        46 conhost.exe 33->46         started        48 openvpn-gui.exe 33->48         started        50 cmd.exe 35->50         started        52 conhost.exe 35->52         started        54 openvpn-gui.exe 35->54         started        file9 signatures10 process11 dnsIp12 56 conhost.exe 37->56         started        78 192.168.2.1 unknown unknown 41->78 80 i.ibb.co 41->80 58 cmd.exe 41->58         started        60 conhost.exe 41->60         started        62 openvpn-gui.exe 41->62         started        64 conhost.exe 44->64         started        66 conhost.exe 50->66         started        process13 process14 68 conhost.exe 58->68         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7a6e48e93a3d286568161e52e0aaeb945de463505fdc572012148272b6b41ec/
Threat name:
Win32.Dropper.Demp
Create hunting rule
Status:
Malicious
First seen:
2021-03-20 22:07:00 UTC
AV detection:
15 of 26 (57.69%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=46tojdutupjimvubmhss4cvoxfc54rrvax64k4qbefecok3lihwa._file
Verdict:
malicious
Similar samples:
0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6
NetWire
17bb1028f9d0ed56ea18c4c3ebde034d105532bc191f9214e1f5971a747f6447
NetWire
210aba7001d319d2c2c365aa0362fb1c2c7a9b5f208b9a189d6571e4a5c149bf
NetWire
5aa9861dcb5890caaadd311b1eed80e2ae65bd0d46937cc3bdee4757da908fc6
NetWire
98d8bbdf43367821e74fd0c26f5bdda07fe9a750476cce1bb0df88c5aa18b745
NetWire
a144d424d0ace63551d67ee67efe8ff6242df2b5c55d8f2494e0731f2d88f711
NetWire
a697ae136e5633a17a2833d1e3e2e2a10cfe274da042d6749becf523bc947eea
NetWire
ccac7810dc871901c8bbc493fda913b200edbf2692b05cf31a0292aad31eb5cb
NetWire
e927ab3f91b02b2abe2f09c4af698fc21671d0bb210d1e0187fb76ca7a5589bb
NetWire
f9f9b147e1f262190e4409693cdc0e472b92ef6d47af97058f27e77a0b74a1a4
NetWire
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210322-pndnjl9zc6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
e7a6e48e93a3d286568161e52e0aaeb945de463505fdc572012148272b6b41ec
MD5 hash:
7429c38e3022a2677d7f6350b6cf261b
SHA1 hash:
4feda63173d94f6d423f2e45901fa9cad3f579ad
Link:
https://www.unpac.me/results/f31dff29-b5b2-475d-bd5b-98339a059472/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7a6e48e93a3d286568161e52e0aaeb945de463505fdc572012148272b6b41ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/125870/

Comments