MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
SHA3-384 hash: 0fea2458ed3c2f3780c6d2576e1da5ad5fccfaadadd7e8a1f3de2143eae241f1e274bc6d403cf50439ba0964b702a14e
SHA1 hash: 43e174cb6f5092a4061605d94a277ced24dbca33
MD5 hash: 6a52e9d53286f8afcc2d70296e953e4d
humanhash: arizona-minnesota-dakota-finch
File name:PO 59536023 VFD.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:975'872 bytes
First seen:2023-01-10 13:45:51 UTC
Last seen:2023-01-10 15:36:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:5gh/CSy9mYIxf6gGo5ZG7BoYs5nyyx+NxEyaJu:Kh/CmXZIxs5nyC+Nqya
Threatray 5'492 similar samples on MalwareBazaar
TLSH T18625BF9DA2B14137FA8A117D6E7C228D1DB0ED473E2DF20BAA773340A6355BB7158132
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
212.193.30.230:6063

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
PO 59536023 VFD.exe
Verdict:
Malicious activity
Analysis date:
2023-01-10 13:49:18 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/9487e11e-517f-42c5-8d88-b32b37f22902

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351551/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.13578.14360.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63bd6c1e5f356e00329cef46/reports/129edfc1-7d05-493c-8985-32bcd0559168/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/331fa76c-c5f8-4a20-9e9a-c4ca1eee89d1
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1148790
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 781524 Sample: PO 59536023 VFD.exe Startdate: 10/01/2023 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 9 other signatures 2->84 9 PO 59536023 VFD.exe 7 2->9         started        13 OVdwAu.exe 5 2->13         started        15 Host.exe 2->15         started        17 2 other processes 2->17 process3 file4 68 C:\Users\user\AppData\Roaming\OVdwAu.exe, PE32 9->68 dropped 70 C:\Users\user\...\OVdwAu.exe:Zone.Identifier, ASCII 9->70 dropped 72 C:\Users\user\AppData\Local\...\tmpE980.tmp, XML 9->72 dropped 74 C:\Users\user\...\PO 59536023 VFD.exe.log, ASCII 9->74 dropped 94 Adds a directory exclusion to Windows Defender 9->94 96 Injects a PE file into a foreign processes 9->96 19 PO 59536023 VFD.exe 3 9->19         started        22 powershell.exe 21 9->22         started        24 schtasks.exe 1 9->24         started        98 Multi AV Scanner detection for dropped file 13->98 100 Machine Learning detection for dropped file 13->100 26 schtasks.exe 13->26         started        35 2 other processes 13->35 28 Host.exe 15->28         started        31 schtasks.exe 15->31         started        33 schtasks.exe 17->33         started        37 2 other processes 17->37 signatures5 process6 file7 64 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 19->64 dropped 39 Host.exe 5 19->39         started        42 conhost.exe 22->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        102 Creates autostart registry keys with suspicious names 28->102 48 conhost.exe 31->48         started        50 conhost.exe 33->50         started        signatures8 process9 signatures10 86 Multi AV Scanner detection for dropped file 39->86 88 Machine Learning detection for dropped file 39->88 90 Adds a directory exclusion to Windows Defender 39->90 92 Injects a PE file into a foreign processes 39->92 52 Host.exe 39->52         started        56 powershell.exe 39->56         started        58 schtasks.exe 39->58         started        process11 dnsIp12 76 212.193.30.230, 49695, 49696, 49697 SPD-NETTR Russian Federation 52->76 66 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 52->66 dropped 60 conhost.exe 56->60         started        62 conhost.exe 58->62         started        file13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2023-01-10 13:46:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=airycpyukbq3f5zfow7e23p2jceniht4lxk5mt6fo7pjz5fticza._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1bb72419895796c3a394f4b55f0c31959c992111803764d8167dcb6c7af3088c
NetWire
1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc
NetWire
22a7c02eac7f7940eba9afa9ca51a179789e22257ffe87cbab02c15360a9fded
NetWire
63c76b6d8a6c83e113d4a72361c8df64d493339fe94503522b3f666b19aacfa2
NetWire
98949b9cd7eb063eb4a2970136d3483b29891bd8c1c2ec6104e45b76f838ddf9
NetWire
99e8dfa23cef1d5d67c765df3de3bc6e750a2d8fa4628a9442d08fc40aaaa656
NetWire
a317414343c80367a0b5cdc91b77f1948f229fda4dbaea75b07258a2cd6a4ecd
NetWire
b1c36240effced3001500a115e71328faf0136490f67568ec382ccd97254415e
NetWire
b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
NetWire
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
NetWire
+ 5'482 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/230110-q2zl9aca7y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
212.193.30.230:6063
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/071c0997-6bc3-4f1e-afc6-db46c59751ea
Unpacked files
SH256 hash:
47671e7228459787f800299398fcb760125bd7a9950bf13e82ed868c94674431
MD5 hash:
6f3f16005586d93489853c13dfd6abae
SHA1 hash:
98cf6314fe463440ca8f423bd855a108b01fc752
Detections:
Netwire
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/6864e96a-6bec-4c52-b362-e0590d4f04a0/
Parent samples :
0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e
f81832eab926f0dfe31ac63017cb7f6d8fb933e31f6d8742f94a5cecf012bab1
a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570
SH256 hash:
c47e2d12442ecc8e285ac50096896d2f5c5e7eb0d6be54c211011e8c440e2c83
MD5 hash:
134c8597c51c3ceb44400bc003c60fa2
SHA1 hash:
7ca835dd55c7a84175c03c86d2892719e3d05092
Link:
https://www.unpac.me/results/6864e96a-6bec-4c52-b362-e0590d4f04a0/
SH256 hash:
ae9ab261df803286942d08960ea56406db8fe44a4756b1ccfdb8b91a50ae9f35
MD5 hash:
78db0f9da8ce273f01b12b1fbbdc047c
SHA1 hash:
57a6d741f2cca16e762ea37aa81604b92d3846ba
Link:
https://www.unpac.me/results/6864e96a-6bec-4c52-b362-e0590d4f04a0/
SH256 hash:
be5fb82b8f5e4cfb9c01ec259f6a69c79ddb0b864c8a0f267d45b667d2a04e1e
MD5 hash:
144a9bb93fe9d7801dd608ae8836ba11
SHA1 hash:
4b448d3f714c94f7388170a8024c901702a40808
Link:
https://www.unpac.me/results/6864e96a-6bec-4c52-b362-e0590d4f04a0/
SH256 hash:
b371f072c7fdb207ddc1c7dcfe1a08054c8abbc174e9ee70aca0aa188cf99286
MD5 hash:
09ec15bccb0a169015366c3441d621df
SHA1 hash:
0f1a21de12144326000577c4b70ffdc1f4787d2d
Link:
https://www.unpac.me/results/6864e96a-6bec-4c52-b362-e0590d4f04a0/
SH256 hash:
0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
MD5 hash:
6a52e9d53286f8afcc2d70296e953e4d
SHA1 hash:
43e174cb6f5092a4061605d94a277ced24dbca33
Link:
https://www.unpac.me/results/6864e96a-6bec-4c52-b362-e0590d4f04a0/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0223813f1450/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351551/

Comments