MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216
SHA3-384 hash: 47b72ddd2c4e040c79d31f70e7d8a32ffcb769d5bd111abf4cd13f2fa8935dfd12a04ff947c68ea8e67d5d537ba6cac8
SHA1 hash: bc52f3c2e66135c45763b7615438044a836e697c
MD5 hash: 3949b2d430da7623c452060acf237cd8
humanhash: blossom-snake-johnny-solar
File name:FCA008866311.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:565'760 bytes
First seen:2020-08-04 06:22:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ff2dc860b3be78716db0209b9220e29 (4 x AgentTesla, 3 x HawkEye, 2 x NetWire)
ssdeep 12288:b75XAYMt3Q4vR77XxalaqrdsSSOqQY1HjaZ8Z:/KYfoXqrzSEY12Z8Z
Threatray 1'310 similar samples on MalwareBazaar
TLSH A6C422B2CB04D0E1D0A5E7350633A6D37782F85C8C3D585EA48F6A5A7E777C29A6310B
Reporter abuse_ch
Tags:exe NetWire nVpn RAT t-online


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mailout02.t-online.de
Sending IP: 194.25.134.17
From: Administracion | IDEAL s.r.l <firmahs@t-online.de>
Reply-To: Administracion | IDEAL s.r.l <firmahs@t-online.de>
Subject: RV: Pendiente
Attachment: FCA008866311.uue (contains "FCA008866311.exe")

NetWire RAT C2s:
43.226.229.43:2030
79.134.225.12:1414

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38161/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Win.Dropper.NetWire-8025706-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Result
Threat name:
Nanocore NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408615
Signature
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: NanoCore
Sigma detected: NetWire
Yara detected Nanocore RAT
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256542 Sample: FCA008866311.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->46 48 Sigma detected: NanoCore 2->48 50 6 other signatures 2->50 7 FCA008866311.exe 2 2->7         started        11 Host.exe 2->11         started        13 Host.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\bob.exe, PE32 7->28 dropped 52 Maps a DLL or memory area into another process 7->52 54 Contains functionality to detect sleep reduction / modifications 7->54 15 bob.exe 3 7->15         started        19 FCA008866311.exe 8 7->19         started        22 FCA008866311.exe 7->22         started        signatures5 process6 dnsIp7 30 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 15->30 dropped 38 Contains functionality to log keystrokes 15->38 40 Machine Learning detection for dropped file 15->40 24 Host.exe 3 15->24         started        34 79.134.225.12, 1414, 49729, 49730 FINK-TELECOM-SERVICESCH Switzerland 19->34 32 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->32 dropped 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->42 file8 signatures9 process10 dnsIp11 36 43.226.229.43, 2030 SOFTLAYERUS Hong Kong 24->36 56 Machine Learning detection for dropped file 24->56 signatures12
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 06:24:07 UTC
AV detection:
41 of 48 (85.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cklofpq6t2g4eqy42pbxgn5pn7u7fllotm4acekqpmajmqrfaila._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
netwirerc
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
090c4ff20568f647c80d5ae386bf5aedd9d8b066066a465b5300f8bd42ff1282
NetWire
0c34d4763fc968ccbe9f33dec2ae9e3e132a61b40ffc93cc22f337a0758c0279
NetWire
573f11821c72786131d82bcdb3744b83d01615c25489f4cf2c46181ae6143226
NetWire
af3c8597b7f874293c5b1fe53c4d1c476c7fdf06df678ba31d75c8f126ae90a0
NetWire
b0a98ae8b1dadc3b181f6252abef59940ceeb5019cd4ae2f0feadb0a520063cd
NetWire
b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5
NetWire
c1ffaaa3fad1741534ca46e6eb19dbafebc46932eecccef600f69a615d8e57ea
NetWire
d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b
NetWire
d3793a581da66ef5840648574ce364846e7c68a559c0f5e49faf9e4892ecdc72
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
+ 1'300 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200804-x3nzjlj5x2/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

uue 60b18cfbd68d771079ca9ea2973f150c08d50e71ba559f6493ea3f9053cd9ae2

NetWire

Executable exe 1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216

(this sample)

  
Dropped by
MD5 388007adc1f6a2eff6d78413bb24537e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38161/
  
Dropped by
SHA256 60b18cfbd68d771079ca9ea2973f150c08d50e71ba559f6493ea3f9053cd9ae2

Comments