MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa
SHA3-384 hash: 3e19dc1dfce3ff7d20cb16ce97f3c80c994969de3f0af5010d8f02c640f65fe5129d0018b059fba4530b0688dbff2d29
SHA1 hash: a22e8814f215f2564d6c476506d7f76eb78fe80e
MD5 hash: 32c10b0b4bb8a7e70cf58c573a05f16a
humanhash: jig-music-sweet-ohio
File name:SCANDA_Statement_of_Account_July_2020.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:498'176 bytes
First seen:2020-08-10 09:58:33 UTC
Last seen:2020-08-10 11:07:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c458ff2d515beb8f44158cd3636a7400 (19 x AgentTesla, 6 x NetWire, 3 x HawkEye)
ssdeep 12288:l89qTDQJ+ErC+ThsGsJ5AtAu9Ixp8kixjG9b63PeCwlTysFLx1:lnnY+2q20xp8kiP3NuTysF
TLSH 5AB423F1A22948D9D2091E3C5773A6B1AB43015E4CAC663DADB2FD4D3DB37D2821391B
Reporter abuse_ch
Tags:exe NetWire RAT t-online


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mailout02.t-online.de
Sending IP: 194.25.134.17
From: LIBA - SCANDA SOLUTIONS (KUWAIT) <fa.zajitschek@t-online.de>
Reply-To: jsntfxqvip.163@gmail.com <jsntfxqvip.163@gmail.com>
Subject: SOA JULY
Attachment: SCANDA_Statement_of_Account_July_2020.uue (contains "SCANDA_Statement_of_Account_July_2020.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Searching for the window
Sending a UDP request
Deleting a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/416727
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sigma detected: NetWire
Tries to steal Mail credentials (via file access)
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 260782 Sample: SCANDA_Statement_of_Account... Startdate: 10/08/2020 Architecture: WINDOWS Score: 92 79 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->79 81 Yara detected NetWire RAT 2->81 83 Sigma detected: NetWire 2->83 85 Machine Learning detection for dropped file 2->85 8 SCANDA_Statement_of_Account_July_2020.exe 3 2 2->8         started        12 Host.exe 2->12         started        14 SCANDA_Statement_of_Account_July_2020.exe 2->14         started        process3 file4 61 C:\Users\user\AppData\Local\Temp\Order.pdf, PDF 8->61 dropped 87 Maps a DLL or memory area into another process 8->87 89 Contains functionality to detect sleep reduction / modifications 8->89 16 SCANDA_Statement_of_Account_July_2020.exe 3 8->16         started        20 SCANDA_Statement_of_Account_July_2020.exe 8->20         started        22 AcroRd32.exe 39 8->22         started        24 Host.exe 12->24         started        26 Host.exe 12->26         started        28 SCANDA_Statement_of_Account_July_2020.exe 14->28         started        30 SCANDA_Statement_of_Account_July_2020.exe 14->30         started        signatures5 process6 dnsIp7 63 192.168.2.1 unknown unknown 16->63 59 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 16->59 dropped 32 Host.exe 16->32         started        35 SCANDA_Statement_of_Account_July_2020.exe 20->35         started        37 RdrCEF.exe 55 22->37         started        39 AcroRd32.exe 9 6 22->39         started        file8 process9 signatures10 69 Contains functionality to log keystrokes 32->69 71 Contains functionality to steal Internet Explorer form passwords 32->71 73 Contains functionality to steal Chrome passwords or cookies 32->73 75 Contains functionality to detect sleep reduction / modifications 32->75 41 Host.exe 3 32->41         started        45 Host.exe 32->45         started        77 Maps a DLL or memory area into another process 35->77 47 SCANDA_Statement_of_Account_July_2020.exe 35->47         started        49 SCANDA_Statement_of_Account_July_2020.exe 35->49         started        51 RdrCEF.exe 37->51         started        53 RdrCEF.exe 37->53         started        55 RdrCEF.exe 37->55         started        57 RdrCEF.exe 37->57         started        process11 dnsIp12 65 43.226.229.43, 2030, 49718, 49724 SOFTLAYERUS Hong Kong 41->65 91 Tries to steal Mail credentials (via file access) 41->91 67 80.0.0.0 NTLGB United Kingdom 51->67 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-10 05:58:09 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=crufmvqfsdwg6jbu6nh6ss2n2xpa27wxadg2ztavmy63d66iysva._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200810-hfs2ntlj8x/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

uue 4a8587f61a4969ae73d103ee83d1cdb1a12ebe6734bf32ab00a1de1529e54cf5

NetWire

Executable exe 146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa

(this sample)

  
Dropped by
MD5 f426569c2ebd6d3fe4c05a29446509ad
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42661/
  
Dropped by
SHA256 4a8587f61a4969ae73d103ee83d1cdb1a12ebe6734bf32ab00a1de1529e54cf5

Comments