MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd
SHA3-384 hash: 2504e99ee09d32e709dbb98de1a477305678f7bded3454728f76687538faebac40a477d5a60068be26e7ac4d58ac077a
SHA1 hash: 158c22dea6eb92f518af7ea947e08521a904e3ad
MD5 hash: 3564b2127c519a9e39b63f0e6994a3d1
humanhash: speaker-fifteen-minnesota-speaker
File name:3564b2127c519a9e39b63f0e6994a3d1.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:164'352 bytes
First seen:2022-08-02 18:01:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4563c74acbd357d386b177e402b96ce4 (60 x NetWire)
ssdeep 3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvhYMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/hzQqqDvFf
Threatray 749 similar samples on MalwareBazaar
TLSH T1C6F31719FA87A4F6FE0B1D31919BF33F0B757A01C130CE92EF541E85EA23C26151AA59
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe NetWire RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
448
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
3564b2127c519a9e39b63f0e6994a3d1.exe
Verdict:
Malicious activity
Analysis date:
2022-08-03 06:00:55 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/ea4cfe02-1b9f-4070-a0e9-f4d05f3e62e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295988/
Detection(s):
Win.Dropper.NetWire-8025706-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive greyware keylogger netwire packed shell32.dll wacatac windows wirenet
Link:
https://www.filescan.io/uploads/62e967166336465f2a06b238/reports/450c3b20-cfd5-4e62-910c-cbcfb2b28892/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70147113-0866-4172-97ef-c45fa3dcf34f
Result
Threat name:
NetWire, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045127
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 677625 Sample: 85m6riZZ9Q.exe Startdate: 02/08/2022 Architecture: WINDOWS Score: 100 72 geoplugin.net 2->72 84 Snort IDS alert for network traffic 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 12 other signatures 2->90 12 85m6riZZ9Q.exe 3 2->12         started        16 remcos.exe 2->16         started        18 remcos.exe 2->18         started        20 remcos.exe 2->20         started        signatures3 process4 file5 70 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 12->70 dropped 98 Contains functionality to log keystrokes 12->98 100 Found evasive API chain (may stop execution after checking mutex) 12->100 22 Host.exe 2 2 12->22         started        102 Machine Learning detection for dropped file 16->102 104 Adds a directory exclusion to Windows Defender 16->104 27 powershell.exe 16->27         started        29 schtasks.exe 16->29         started        31 remcos.exe 16->31         started        signatures6 process7 dnsIp8 74 37.0.14.206, 3352, 3384, 49734 WKD-ASIE Netherlands 22->74 64 C:\Users\user\AppData\Roaming\...\BJUmMH.exe, PE32 22->64 dropped 92 Antivirus detection for dropped file 22->92 94 Multi AV Scanner detection for dropped file 22->94 96 Machine Learning detection for dropped file 22->96 33 BJUmMH.exe 6 22->33         started        37 conhost.exe 22->37         started        39 conhost.exe 27->39         started        file9 signatures10 process11 file12 60 C:\Users\user\AppData\...\jvNgSnlggEb.exe, PE32 33->60 dropped 62 C:\Users\user\AppData\Local\...\tmp5F3A.tmp, XML 33->62 dropped 76 Machine Learning detection for dropped file 33->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 33->78 80 Adds a directory exclusion to Windows Defender 33->80 82 Injects a PE file into a foreign processes 33->82 41 BJUmMH.exe 5 4 33->41         started        44 powershell.exe 21 33->44         started        46 schtasks.exe 1 33->46         started        signatures13 process14 file15 66 C:\ProgramData\Remcos\remcos.exe, PE32 41->66 dropped 68 C:\Users\user\AppData\Local\...\install.vbs, data 41->68 dropped 48 wscript.exe 1 41->48         started        50 conhost.exe 44->50         started        52 conhost.exe 46->52         started        process16 process17 54 cmd.exe 48->54         started        process18 56 conhost.exe 54->56         started        58 remcos.exe 54->58         started       
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd/
Threat name:
Win32.Backdoor.NetWired
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 21:50:59 UTC
File Type:
PE (Exe)
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=beid6zjwzeyvyti47iukiec2f2n5a324imv3mlofuky5bnmqf7oq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
4c93747030e17a8581b15cce2fd3aee28eb12dab9a8ec33839d083cda679487d
NetWire
5712e0a231e705d4438c09a5aacfdb9b753f9a2cc8a110c2b13606cdac708d42
NetWire
8d30b1713bdbee571ed08365e29d34de1fd0d152a9d816a1e315d92b384f94e9
NetWire
9a558d058307b8c1ef997ef5aa803d4e1f91b94c3c4df9bf038c4b445713a37c
NetWire
bcc6ba14b357c5f88e7e495d16411be6d488918c743214018db2c8e45961fd94
NetWire
d2723a5c5c192b80edf6e6ed6d033cd1f916ad9bffefed86ebd6120499c4a058
NetWire
+ 739 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220802-wlv7sahfb7/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
37.0.14.206:3384
Unpacked files
SH256 hash:
09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd
MD5 hash:
3564b2127c519a9e39b63f0e6994a3d1
SHA1 hash:
158c22dea6eb92f518af7ea947e08521a904e3ad
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/cf9d0be4-9083-4094-a84f-ec6a01f051d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2264014/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/295988/

Comments