MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09355d5564e1cdd59ac0285e586ba2b0e2c7b4c5c9efa17cb8fb1fc4b8c3c19a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments

SHA256 hash:	09355d5564e1cdd59ac0285e586ba2b0e2c7b4c5c9efa17cb8fb1fc4b8c3c19a
SHA3-384 hash:	ba799616e36c62ba21c31a02c76b817c79507cd7e4acfc0c295c931ec865dd56832bd3bffd42c378ba86957093e6cd2a
SHA1 hash:	fa365ec75467941411041ccdc97578a5f0bffb17
MD5 hash:	109a0fb8f5f00f425fa6f2c392cf7758
humanhash:	oven-august-pip-red
File name:	Maschine Neue RESALE Anfrage für 0037-1233 be.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	1'113'600 bytes
First seen:	2022-12-23 14:20:34 UTC
Last seen:	2022-12-23 15:37:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:IsFdELpCybniAU63bXJZozF3o/s01HDwaITZXdbH80VV:tFdELpCybniAU63bAR4Ecj
TLSH	T13035170BAFBC59D1E961D5712A634AE700A1F70617B4DBC8629FBD3170E83323716A87
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	cc94696d69666b74 (13 x Formbook, 1 x AgentTesla, 1 x NetWire)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
37.120.145.160:3360

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

Maschine Neue RESALE Anfrage für 0037-1233 be.exe

Verdict:

Malicious activity

Analysis date:

2022-12-23 14:22:37 UTC

Tags:

trojan rat netwire

Link:

https://app.any.run/tasks/3d4170e5-42bb-4d46-bd45-207a3f70916c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.25126.1088.8637.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a process from a recently created file

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63a5b950220b45ce1590c999/reports/8d364e8f-40e3-4f1b-9e82-3e9b77703c4f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/f4f79a65-8088-4887-9b99-41dbec771a2d

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1140035

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NetWire

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/09355d5564e1cdd59ac0285e586ba2b0e2c7b4c5c9efa17cb8fb1fc4b8c3c19a/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2022-12-23 14:21:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=be2v2vle4hg5lgwafbpfq25cwdrmpngfzhx2c7fy7mp4jogdygna._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/221223-rnzwjage55/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

37.120.145.160:3360

Unpacked files

SH256 hash:

fc6485350cf55dc14ecbfd9b91b7a9979f61023b4104101e9f351caa6c73abaa

MD5 hash:

6c3fdb2b5d93cf814ea1b6ca05a0efcf

SHA1 hash:

f8ae5f9fa1c9b6b0e47b2f0873d2ee3373e0ebf5

Link:

https://www.unpac.me/results/f77235a4-9b9e-4770-bbaa-502fa1350383/

SH256 hash:

6f07c0308848fa29a23149b52040606bf29ebea196617d012549fd0dc90a7bee

MD5 hash:

0ebea562f959afc8378a587ac4aefb3c

SHA1 hash:

76d1214e2cf399964ffd7812e4c5cc65c78c5507

Detections:

Netwire

win_netwire_g1

Link:

https://www.unpac.me/results/f77235a4-9b9e-4770-bbaa-502fa1350383/

SH256 hash:

b1cb120fad6ee63ecccb62bde46dcadc57a305ae5d8338e6a8eba24ab7442b50

MD5 hash:

0fa51829ad0c08619bd8db24367ce1c3

SHA1 hash:

3e68dea5c782f609b591a43829ff634a4dba80ab

Link:

https://www.unpac.me/results/f77235a4-9b9e-4770-bbaa-502fa1350383/

SH256 hash:

ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c

MD5 hash:

77ab42f4bbbf4565846eb8953192d71f

SHA1 hash:

3c662c756cc31867c0473716a74e777a65ced550

Link:

https://www.unpac.me/results/f77235a4-9b9e-4770-bbaa-502fa1350383/

SH256 hash:

a4a1af8fc1580a570b7f0c74f67c9b1ff9cf09fd87b5e448de860cb595a219a9

MD5 hash:

e84023408b2d858ebec73ac5db9c7a4f

SHA1 hash:

2e2659032f8187277915e536f4c89dd5ccfb0809

Detections:

Netwire

Link:

https://www.unpac.me/results/f77235a4-9b9e-4770-bbaa-502fa1350383/

SH256 hash:

09355d5564e1cdd59ac0285e586ba2b0e2c7b4c5c9efa17cb8fb1fc4b8c3c19a

MD5 hash:

109a0fb8f5f00f425fa6f2c392cf7758

SHA1 hash:

fa365ec75467941411041ccdc97578a5f0bffb17

Link:

https://www.unpac.me/results/f77235a4-9b9e-4770-bbaa-502fa1350383/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/09355d5564e1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.60

Link:

https://yomi.yoroi.company/submissions/09355d5564e1cdd59ac0285e586ba2b0e2c7b4c5c9efa17cb8fb1fc4b8c3c19a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_NetWire Create hunting rule
Author:	ditekSHen
Description:	Detects NetWire RAT

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_Netwire_1b43df38 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Netwire_f42cb379 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Netwire_f85e4abc Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample