MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0257c2dba216209d6c9ad6e6096755efc9b4961018ebdceae8c931cdb62a650c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	0257c2dba216209d6c9ad6e6096755efc9b4961018ebdceae8c931cdb62a650c
SHA3-384 hash:	45988553d55e866f9168634d68f83fb1d413cae3f4fc816a14a18f39713f25483295f3e65f4530b31d49a1fd4108922f
SHA1 hash:	d3d0c93d25cf80b5001351d4306608c10cfbb108
MD5 hash:	12c902b8f2080be1d93ff699e15afc10
humanhash:	finch-batman-emma-cola
File name:	MAERSK ARRIVAL NOTICE.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	479'232 bytes
First seen:	2021-09-14 08:39:07 UTC
Last seen:	2021-09-14 10:12:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:Vk4DbF53e0IUFLlW5nhOfRrbE0xqdqguCESVd:NZW5nhCxq5ESVd
Threatray	565 similar samples on MalwareBazaar
TLSH	T191A4AE2039FF5119F1B3AFB95EE0B5868A6FB6633A17E45D145103860B23F81CD91B3A
Reporter	abuse_ch
Tags:	exe Maersk NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

779

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

MAERSK ARRIVAL NOTICE.exe

Verdict:

Malicious activity

Analysis date:

2021-09-14 08:43:04 UTC

Tags:

trojan netwire

Link:

https://app.any.run/tasks/09f2c067-ec55-4e83-9ae3-cdb79a1b8643

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/187760/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.12996.5899.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61750daedb358dd15ed92235/reports/c8ddaf63-6166-4a06-970f-b165cbf227e3/overview

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ca521efd-2722-458f-9337-6c038ab090fc

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/850512

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Executable has a suspicious name (potential lure to open the executable)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Defender Exclusion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Netwire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0257c2dba216209d6c9ad6e6096755efc9b4961018ebdceae8c931cdb62a650c/

Threat name:

ByteCode-MSIL.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2021-09-14 08:39:36 UTC

AV detection:

9 of 44 (20.45%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ajl4fw5ccyqj23e223tasz2v57e3jfqqddv5z2xizey43nrkmuga._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet evasion rat stealer

Link:

https://tria.ge/reports/210914-kkwalsfdb8/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

night90.ddns.net:8999

Unpacked files

SH256 hash:

ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587

MD5 hash:

43ababb6b0a02907aad43084f12b10d9

SHA1 hash:

b60ba705891d5a666d64300181b475a46714ffa8

Link:

https://www.unpac.me/results/2d155ca3-6832-4ee5-b1f0-6fda49961c76/

SH256 hash:

3121f99240fd4c3f45da8f20d10d491bfd0b87c911f3f7c957c556c92d050029

MD5 hash:

b1b3d7734b861dfd6609920c2c94304b

SHA1 hash:

56a0059510c8e5951d115cfaaf897b98040e51c9

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/2d155ca3-6832-4ee5-b1f0-6fda49961c76/

Parent samples :

466c6eed81c9e10b97b539264af394bef185fdfa72cd3550f62d6634dfb2acc3
46b6c90d331eabb7e554cfe3baa01ed3e72b40793f7bc670f95b22ee611725a9
11084f0e466c6e14a898cd1e806dcfddc4ae3c7819a617c3d0a54490989ba559
dbf616ad9c72def90a363c076c2e66d25831350d2e1ad60b22675e2c0ad95e56
0257c2dba216209d6c9ad6e6096755efc9b4961018ebdceae8c931cdb62a650c
6b64c512504060c171eee898bb53f7d402ccb274f9350a2f543803c6ef23a6fd

SH256 hash:

275d3e60d9f099e520915bdbacb46e152551b4dcd05c31ef636416621c3a19ac

MD5 hash:

442b12f80395177c9f9694ebf2671061

SHA1 hash:

32b089b49b48251d7e8502d6dcb297609d61613f

Link:

https://www.unpac.me/results/2d155ca3-6832-4ee5-b1f0-6fda49961c76/

SH256 hash:

0257c2dba216209d6c9ad6e6096755efc9b4961018ebdceae8c931cdb62a650c

MD5 hash:

12c902b8f2080be1d93ff699e15afc10

SHA1 hash:

d3d0c93d25cf80b5001351d4306608c10cfbb108

Link:

https://www.unpac.me/results/2d155ca3-6832-4ee5-b1f0-6fda49961c76/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0257c2dba216/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0257c2dba216209d6c9ad6e6096755efc9b4961018ebdceae8c931cdb62a650c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/187760/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample