MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ad637fd2f6be43b412315027c0e2636329b7da0f51a40e80e9ad8c76558bb6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ad637fd2f6be43b412315027c0e2636329b7da0f51a40e80e9ad8c76558bb6b
SHA3-384 hash: 5454e185376c3015489de033bfee0f788ffe6c7e53aeb7607adfd9b2230baa1994a726b4c26e7f29f0f55bbd171c4d0d
SHA1 hash: d1d38d629f7d86d854efef65eb81635e4ab5d9f0
MD5 hash: a7ce2f883660a89695ae17ce9c60a7dc
humanhash: mississippi-blossom-diet-iowa
File name:property.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:732'160 bytes
First seen:2021-01-20 06:30:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 22673e55edaa8d924306e1f5da0283cf (1 x NetWire, 1 x SnakeKeylogger)
ssdeep 12288:kshtVIb/hAjTT3dmxSI493jHZ+ekOzEB81:ksWb6T7dmxZ4xDVJEB+
Threatray 690 similar samples on MalwareBazaar
TLSH D8F48E20354380F3C0D1537F59E4C2AE995D2CA3A953147EB78C3AAA6AFC69CF1F4259
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: s15-116-231.thcservers.com
Sending IP: 91.235.116.231
From: christene@appraisal-property.com
Subject: Fwd: Appraisal Report for your Loan Application-5536288922
Attachment: Appraisal-report.zip (contains "property.exe")

NetWire RAT C2:
schoolstaff.3utilities.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
property.exe
Verdict:
Malicious activity
Analysis date:
2021-01-20 06:31:31 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/e979f337-adb8-48f0-b9eb-ff0f38448ceb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113021/
Detection(s):
PUA.Win.Downloader.Firseria-6804617-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/585794
Signature
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0ad637fd2f6be43b412315027c0e2636329b7da0f51a40e80e9ad8c76558bb6b/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=blldp7jpnpsdwqjdcubhydrggyzjw7na6uneb2aotlmmozkyxnvq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2388b2c1717d5f5741c2730b205a04d627d2cb6a1d4f781fb2f5fae3fa508e76
NetWire
3101eed05f09d6c47096bfea7ffc2367a7f83325618b602b6e808bcfb9bd6989
NetWire
40d8ba1b4ae578829ce958a356395307e27eda0512bc78021ccb93e4b26134f7
NetWire
5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca
NetWire
90dbd6dce0e0e7013656333f1cd8a9b7660e0e40e782a622856800c52e980d3e
NetWire
a7813261c3c899e29185faee49f8a63d4e81a2da6acccb4cc57add4c5646e37d
NetWire
c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c
NetWire
f5041ea07d530c171a670d71769deb2185c8620462b4e26c59a923784f3bd17a
NetWire
f5d88ee96cd5fbdda828c9ec267600fb6308a11318f8290d6d15d34f64070f05
NetWire
fefea87ebfbd43c789033d46905fd2a11b8ea9d4c6b57691f23a89e8f8687992
NetWire
+ 680 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210120-ghage4wwj6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
0ad637fd2f6be43b412315027c0e2636329b7da0f51a40e80e9ad8c76558bb6b
MD5 hash:
a7ce2f883660a89695ae17ce9c60a7dc
SHA1 hash:
d1d38d629f7d86d854efef65eb81635e4ab5d9f0
Link:
https://www.unpac.me/results/329bae53-11fb-4a91-b372-1d9903688a69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ad637fd2f6be43b412315027c0e2636329b7da0f51a40e80e9ad8c76558bb6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip 84ced70af586582a43dfd929b6a9fb051eca399ca234c3e2d9a4385f21907484

NetWire

Executable exe 0ad637fd2f6be43b412315027c0e2636329b7da0f51a40e80e9ad8c76558bb6b

(this sample)

  
Dropped by
MD5 7a2f01abb8b460cc4e69910e074551ed
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 84ced70af586582a43dfd929b6a9fb051eca399ca234c3e2d9a4385f21907484
Cape
Cape
https://www.capesandbox.com/analysis/113021/

Comments