MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01fcf0e844ec177aa8e07cbdc1cd0bd5bbd7ef38b8335b58a2eb383b83885f1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01fcf0e844ec177aa8e07cbdc1cd0bd5bbd7ef38b8335b58a2eb383b83885f1c
SHA3-384 hash: 401bd511f2c5633fc08276236a611060f3f70ee478f6680d2725b318049b316ce3e9bdfa2febeffc6e3fffbb49d379e3
SHA1 hash: 65daa01081d1906badb004561fdb9b24278e7fbd
MD5 hash: b52fbac548ebe7f8f074b2db88bda94b
humanhash: cardinal-hawaii-diet-alanine
File name:New PO UMJ 3238954007, 72288842, and 798530180057985301800672288843.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:940'737 bytes
First seen:2020-09-13 20:23:36 UTC
Last seen:2020-09-13 20:42:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 16e79959a4addb2de0f630e15e492f1b (1 x NetWire)
ssdeep 12288:InxOqIkK9Njhk3RFAZL+o21+gtzN8iqHoZbwa6ca49tN0i/vO80WFK3I2d73O:IxVwS4ZL+o8WIkM9tN0kv88TS7+
Threatray 450 similar samples on MalwareBazaar
TLSH F3159E23A2914C37D1231A3C9C2B5B689936BE113E24ED4A6BF51D4C1F3938178F95BB
Reporter FORMALITYDE
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58895/
Detection(s):
PUA.Win.Trojan.Generic-6629273-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/464911
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: NetWire
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 284865 Sample: New PO   UMJ 3238954007, 72... Startdate: 13/09/2020 Architecture: WINDOWS Score: 100 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected NetWire RAT 2->51 53 6 other signatures 2->53 8 Dpginet.exe 13 2->8         started        12 New PO   UMJ 3238954007, 72288842, and 798530180057985301800672288843.exe 1 15 2->12         started        15 Dpginet.exe 13 2->15         started        process3 dnsIp4 43 162.159.133.233, 443, 49748 CLOUDFLARENETUS United States 8->43 55 Antivirus detection for dropped file 8->55 57 Multi AV Scanner detection for dropped file 8->57 59 Machine Learning detection for dropped file 8->59 17 ieinstal.exe 8->17         started        45 cdn.discordapp.com 162.159.129.233, 443, 49728, 49756 CLOUDFLARENETUS United States 12->45 39 C:\Users\user\AppData\Local\Dpginet.exe, PE32 12->39 dropped 61 Writes to foreign memory regions 12->61 63 Allocates memory in foreign processes 12->63 65 Creates a thread in another existing process (thread injection) 12->65 19 notepad.exe 4 12->19         started        22 ieinstal.exe 2 12->22         started        67 Injects a PE file into a foreign processes 15->67 25 ieinstal.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 C:\Users\Public37atso.bat, ASCII 19->37 dropped 27 cmd.exe 1 19->27         started        29 cmd.exe 1 19->29         started        41 185.244.30.151, 3434, 49740, 49741 DAVID_CRAIGGG Netherlands 22->41 file9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started        35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01fcf0e844ec177aa8e07cbdc1cd0bd5bbd7ef38b8335b58a2eb383b83885f1c/
Threat name:
Win32.Trojan.RemcosCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-09-13 09:14:45 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ah6pb2ce5qlxvkhaps64dtil2w55p3zyxazvwwfc5m4dxa4il4oa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0179848cfc3414a2799af814eada847b33e5492f5824bf0b2418137dc4c02d47
NetWire
07f411bd02cb5654c8903477700a32802c0ed1f445d14144bc306a2af3aa7910
NetWire
090c4ff20568f647c80d5ae386bf5aedd9d8b066066a465b5300f8bd42ff1282
NetWire
0c91c97182b3f1389437d15ff6aaa935156fc5ecc1c71c5588c0d831943acf4e
NetWire
4fea6e355cf21e8c42cde98a6ee6f03e8ea24ec6df6a5711b9a31cb43eb93fc6
NetWire
62e8d80b582bb90531dd63743d085910e20cdc35494bea3209fd80e22cff13bd
NetWire
9b1b5389e9953290c088469ae38ceb0c58899b90226fbc217012c965e523149c
NetWire
aae45a77eeaca2d69630e035293e25a47f81d5b7612bace059d1678154485b85
NetWire
cdb81c63c05c1850a79a3441001e9f007fea5851a06090da724c8fe924204e93
NetWire
d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b
NetWire
+ 440 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/200913-y5ypjvfa9j/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
WanaCrypt0r
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01fcf0e844ec177aa8e07cbdc1cd0bd5bbd7ef38b8335b58a2eb383b83885f1c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe 01fcf0e844ec177aa8e07cbdc1cd0bd5bbd7ef38b8335b58a2eb383b83885f1c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/58895/

Comments