MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0c3bf29a48a57cac902d7a36fc260eb43b2075daf62ca71602e82ce302375f0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
NetWire
Vendor detections: 8
| SHA256 hash: | 0c3bf29a48a57cac902d7a36fc260eb43b2075daf62ca71602e82ce302375f0d |
|---|---|
| SHA3-384 hash: | 9a866c5e8cf854e828ef02c2d20cd5e602797dcf0378894a47b585541cda2c9aaa4f39a0b7ea147a99cf2088fac6fd2f |
| SHA1 hash: | 8e2f9b59befb62d4c1d7ad2e12a1acc1a8b80f2f |
| MD5 hash: | c165b4a1ee70b20a7779bcc63fadd2ea |
| humanhash: | illinois-monkey-three-fanta |
| File name: | 0c3bf29a48a57cac902d7a36fc260eb43b2075daf62ca71602e82ce302375f0d |
| Download: | download sample |
| Signature | NetWire |
| File size: | 474'162 bytes |
| First seen: | 2020-11-13 15:20:08 UTC |
| Last seen: | 2024-07-24 11:08:44 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 4e951e86436c76d700c0d4b4eb177a14 (2 x NetWire) |
| ssdeep | 6144:uJvuacp338Nwu3i8gFhhQZ/mdNfHX5urzOfKpi1zlA+GQ2mxrSvbvP+ri3w6S:TL9mly7fR4SKkTgouUi3y |
| Threatray | 2 similar samples on MalwareBazaar |
| TLSH | 2FA42346F204C8D1DF2517B9A56220F9EB1AAC20CD73B47B69CE396EAF72770501BE05 |
| Reporter |  seifreed |
| Tags: | NetWire |
Intelligence
File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Deleting a recently created file
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Trojan.Sasfis
Status:
Malicious
First seen:
2020-11-13 15:22:15 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
5/5
Verdict:
malicious
Result
Malware family:
netwire
Score:
10/10
Tags:
family:netwire botnet persistence rat stealer upx
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
UPX packed file
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
0c3bf29a48a57cac902d7a36fc260eb43b2075daf62ca71602e82ce302375f0d
MD5 hash:
c165b4a1ee70b20a7779bcc63fadd2ea
SHA1 hash:
8e2f9b59befb62d4c1d7ad2e12a1acc1a8b80f2f
SH256 hash:
65301b6b90c5691ecbe129317267c0b4962a82fd7a7647dff0d936c493cc57f7
MD5 hash:
ef83f97539eaa42ab198bea5c1c6b627
SHA1 hash:
67fa6ad0d9ec01531f7a0ed7bf1d6224b06c10ea
SH256 hash:
d960e7e179c59049a45d67bc674132dc2237007b00b3601b2f601d695b96d592
MD5 hash:
112deba98d24e51c16fa9f445e8ad587
SHA1 hash:
2bc46fef0a8a1e01e415bd24c680cc130668fde6
Detections:
win_netwire_g1
win_netwire_auto
SH256 hash:
b92d1ff62ffeb681066cc26b49a65878e0c80dad1f42a8481b4a09b90f58add2
MD5 hash:
4860e6f528d30d278d55c9e2398ef8b6
SHA1 hash:
b5a16c79fcacf09d03f733aa4d8f396cc15e16bf
Detections:
win_golroted_w0
win_golroted_auto
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Malicious_BAT_Strings |
|---|---|
| Author: | Florian Roth |
| Description: | Detects a string also used in Netwire RAT auxilliary |
| Reference: | https://pastebin.com/8qaiyPxs |
| Rule name: | MAL_unspecified_Jan18_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects unspecified malware sample |
| Reference: | Internal Research |
| Rule name: | netwire |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect netwire in memory |
| Reference: | internal research |
| Rule name: | Suspicious_BAT_Strings |
|---|---|
| Author: | Florian Roth |
| Description: | Detects a string also used in Netwire RAT auxilliary |
| Reference: | https://pastebin.com/8qaiyPxs |
| Rule name: | suspicious_packer_section |
|---|---|
| Author: | @j0sm1 |
| Description: | The packer/protector section names/keywords |
| Reference: | http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ |
| Rule name: | win_netwire_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
| Rule name: | win_netwire_g1 |
|---|---|
| Author: | Slavo Greminger, SWITCH-CERT |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.