MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 108425e103be235bce0ade8198ea187093aa9dcb8186a87a6aafb2f434772779. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 108425e103be235bce0ade8198ea187093aa9dcb8186a87a6aafb2f434772779
SHA3-384 hash: be861a73a7292ef61ecfc3a6509fcfdf06e903bf431964daad4c416b8061fc97e7c9a59e98f41ceca7bab1477a5f84db
SHA1 hash: 13cc43d2e6ebd0626aad5effb6b0cdba96d745e7
MD5 hash: 0c1f0a1ce0e6ae29ad2fe132c7dc0fae
humanhash: muppet-maine-robert-north
File name:0c1f0a1ce0e6ae29ad2fe132c7dc0fae.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'458'688 bytes
First seen:2023-01-21 17:30:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:kbR8NgdAnvXtNEYCWC5B+VqN9x4ODSl6ppjLb3ApTBS6qI26Ozct+J5gGYceIgKl:5vTZCUIK4Ax5q
Threatray 1'561 similar samples on MalwareBazaar
TLSH T11D65CFB34593FFEAE3931E1888087D518CA924175B78D3F8BDC9106F94E9274EA9C970
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f9b397d28e9b928a (1 x NetWire)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
37.0.14.198:5345

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
0c1f0a1ce0e6ae29ad2fe132c7dc0fae.exe
Verdict:
Malicious activity
Analysis date:
2023-01-21 17:32:17 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/69774e52-7272-41d8-a42b-6d2f8b6ac968

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355390/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63cc21592b351a3d0ea76d9a/reports/55e3d358-9583-4720-9f06-ba7377efdde2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ebe355d1-b75c-4774-9149-998b44b3329d
Result
Threat name:
AgentTesla, NetWire, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156238
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected MSILDownloaderGeneric
Yara detected NetWire RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 788970 Sample: ufBgoIkDvJ.exe Startdate: 21/01/2023 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for URL or domain 2->34 36 11 other signatures 2->36 7 ufBgoIkDvJ.exe 17 5 2->7         started        12 Jvueduqhost.exe 1 2->12         started        process3 dnsIp4 24 discord.com 162.159.128.233, 443, 49703 CLOUDFLARENETUS United States 7->24 22 C:\Users\user\AppData\...\Jvueduqhost.exe, PE32 7->22 dropped 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->38 40 Tries to steal Mail credentials (via file / registry access) 7->40 42 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->42 44 3 other signatures 7->44 14 Jvueduqhost.exe 2 7->14         started        18 powershell.exe 16 7->18         started        26 betterday.duckdns.org 12->26 file5 signatures6 process7 dnsIp8 28 betterday.duckdns.org 37.0.14.198, 49701, 49704, 5345 WKD-ASIE Netherlands 14->28 46 Antivirus detection for dropped file 14->46 48 Multi AV Scanner detection for dropped file 14->48 50 Found evasive API chain (may stop execution after checking mutex) 14->50 52 2 other signatures 14->52 20 conhost.exe 18->20         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/108425e103be235bce0ade8198ea187093aa9dcb8186a87a6aafb2f434772779/
Threat name:
ByteCode-MSIL.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-01-17 11:41:09 UTC
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cccclyidxyrvxtqk32azr2qyocj2vholqgdkq6tkv6zpindxe54q._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
08c5de8e4d3c038e2385643b3201122ac43f7e09d21b89e42a2186a66fae3434
NetWire
15021c2dd3f993d61be7b5f2a0c7730ce78b42e574a7d116b5541439800d77df
NetWire
5e6776ba02afa4c03138edcdf1e10dabee3efd6afd1620dcdb3138e7632bcb79
NetWire
5fc77394fd32986a32fe00746df98db40d11fb240cb6646513aec9157e104ff3
NetWire
a1a14de41157c29cdc370987d9e11971d7493d4d809ff5d9b27259f3d30d8ddf
NetWire
ab9de97e47a48f549aca1f49ed1f7cccc251c29ffc3fdeece302f351e16d5eef
NetWire
cb6fdc529288324582af69d4dbb36c724815b6ade5aac964fe0a2eeeecf37e25
NetWire
+ 1'551 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230121-v3p7esdb84/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
40da64479fe1e093e0a5331766b5570f15d7906d406714a7b9dcb5ac2f2ef839
MD5 hash:
a7984abee00b795dd7549f553c0483e0
SHA1 hash:
f660993e9da13a86d17079016c9a602fdeb1432c
Link:
https://www.unpac.me/results/2a9a0871-fea2-43c9-8f17-ba6a20d74a69/
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/2a9a0871-fea2-43c9-8f17-ba6a20d74a69/
SH256 hash:
aef7fc9fada0f19722793b47a0f0a2cb23ab101876478d9aa548e829eb468a93
MD5 hash:
3443aca895b7b1036efe6acca9d0eaf1
SHA1 hash:
af98ae8e98b8c33c7ee1c45f52106beb5c92efa1
Link:
https://www.unpac.me/results/2a9a0871-fea2-43c9-8f17-ba6a20d74a69/
SH256 hash:
ef9463a20d3adf706ed0e739531cef4cf856bc488a3d41703c44604a1c5a8425
MD5 hash:
10dcd10dee8544f39d3482b8df23e1d2
SHA1 hash:
98b166029b9c1e04336bb6e12fa758c8f16bf2b6
Link:
https://www.unpac.me/results/2a9a0871-fea2-43c9-8f17-ba6a20d74a69/
SH256 hash:
108425e103be235bce0ade8198ea187093aa9dcb8186a87a6aafb2f434772779
MD5 hash:
0c1f0a1ce0e6ae29ad2fe132c7dc0fae
SHA1 hash:
13cc43d2e6ebd0626aad5effb6b0cdba96d745e7
Link:
https://www.unpac.me/results/2a9a0871-fea2-43c9-8f17-ba6a20d74a69/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/108425e103be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/108425e103be235bce0ade8198ea187093aa9dcb8186a87a6aafb2f434772779

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355390/

Comments