MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 168788f3ea6bb2fd9ac8f5925b6296f685a5e4ce87e4b5da6a5877109d782b97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 168788f3ea6bb2fd9ac8f5925b6296f685a5e4ce87e4b5da6a5877109d782b97
SHA3-384 hash: c30f5d8038c8d011bf459f2543b69ebcd517e43196a4a11514c7728a231accc77357e66d93bc71b42fda0a8e8d21c9b1
SHA1 hash: 8ec7686292d9257c06171094d135fb16acd5dd1e
MD5 hash: 61ed3debbd2ba0a2756614f1fc6aa290
humanhash: ceiling-juliet-apart-aspen
File name:ops.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'176'064 bytes
First seen:2022-04-05 15:17:56 UTC
Last seen:2022-05-02 03:32:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:SdOxLFDApSPKk48cxkuNNDAp4yLrSoMiK:SiLFssPH48nuNapNSoM
Threatray 7'977 similar samples on MalwareBazaar
TLSH T15645DFD2A3E98527E1B76B7459BB0B523F32FC96AB70810F1250E49D1C72750FD20B2A
File icon (PE):PE icon
dhash icon 9288ce8c2a868f92 (89 x Tinba, 7 x AsyncRAT, 6 x Dridex)
Reporter J_Hunt3r
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
394
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
ops.exe
Verdict:
Malicious activity
Analysis date:
2022-04-04 10:46:03 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/a94963d4-5f61-4cbe-ad49-bec842790fa0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260985/
Detection(s):
Win.Malware.Ototi-6591407-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Creating a file
Adding an access-denied ACE
Launching a process
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12718/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll control.exe packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/624c5db5db9ca5cf8425a083/reports/09dab2e3-58a4-4562-84db-7093fe8ba942/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53143a59-bec3-4b96-a252-1e008f924502
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970921
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 603408 Sample: ops.exe Startdate: 05/04/2022 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 4 other signatures 2->51 8 ops.exe 1 5 2->8         started        11 znqxhh.exe 1 2->11         started        13 rundll32.exe 2->13         started        process3 file4 29 C:\Users\user\AppData\Local\...\znqxhh.exe, PE32 8->29 dropped 15 znqxhh.exe 3 8->15         started        process5 file6 31 C:\Users\user\znqxhh.exe, PE32 15->31 dropped 33 C:\Users\user\kqdsrbdb\znqxhh.exe (copy), PE32 15->33 dropped 37 Multi AV Scanner detection for dropped file 15->37 39 Drops PE files to the user root directory 15->39 41 Writes to foreign memory regions 15->41 43 2 other signatures 15->43 19 cmd.exe 1 15->19         started        22 znqxhh.exe 2 15->22         started        signatures7 process8 dnsIp9 53 Uses schtasks.exe or at.exe to add and modify task schedules 19->53 25 conhost.exe 19->25         started        27 schtasks.exe 1 19->27         started        35 update.mcafee-endpoint.com 46.246.82.5, 3360 PORTLANEwwwportlanecomSE Sweden 22->35 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/168788f3ea6bb2fd9ac8f5925b6296f685a5e4ce87e4b5da6a5877109d782b97/
Threat name:
Win32.Trojan.AitInject
Create hunting rule
Status:
Malicious
First seen:
2022-04-05 15:18:21 UTC
File Type:
PE (Exe)
Extracted files:
65
AV detection:
16 of 42 (38.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
588b25087097e7c8aa47d12876af1c3fa939a34fdfd22b26884eb60ff9f7371a
NetWire
6ec7aa60afcb5b409e55f0a47ff4ba273f1c9e28f7bd5c9f32b1d749ccad0719
NetWire
77d83370f3109b9a0c199c60870edd92184c170abfc2f1817cd625245fcfae10
NetWire
afe7d487324952929f8f037bdfbd7249049086fc8c4a90a2acdaaffd6d342823
NetWire
b27c248040351b85f805c45a12dd85396824a1a3388225138d46924a9edd3788
NetWire
b89620cbc9ac44fd7d39e58b04083b674342f3aa55ed9752160fbf6d2e34b785
NetWire
c90fdaf1c8ea72c144395f8450b870865dc56f6ea3cef897464cd9e808d01c4a
NetWire
e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec
NetWire
+ 7'967 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/220405-spk97scefq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
update.mcafee-endpoint.com:3360
Unpacked files
SH256 hash:
bfc5072699c3f49c29afa7762934181b3d1a882d334c051409751c5b4d3fab26
MD5 hash:
b79adaa9f8ac03baf1847d82e68b9658
SHA1 hash:
8bc2c9f0101f67d7b8706a5f644a2fd01927d26e
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/665949fc-770e-4da2-b88b-96b6a67d80f8/
SH256 hash:
fae2f490ac460970fc1bd63d3a613cafae565963f651c8c486f04a31e84cb96a
MD5 hash:
a7283250950976dcf0080db911e2a94e
SHA1 hash:
0070d8956ec562df4a8b3cc7845aa1f2ad24f1a9
Link:
https://www.unpac.me/results/665949fc-770e-4da2-b88b-96b6a67d80f8/
SH256 hash:
168788f3ea6bb2fd9ac8f5925b6296f685a5e4ce87e4b5da6a5877109d782b97
MD5 hash:
61ed3debbd2ba0a2756614f1fc6aa290
SHA1 hash:
8ec7686292d9257c06171094d135fb16acd5dd1e
Link:
https://www.unpac.me/results/665949fc-770e-4da2-b88b-96b6a67d80f8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/168788f3ea6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/168788f3ea6bb2fd9ac8f5925b6296f685a5e4ce87e4b5da6a5877109d782b97

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/260985/

Comments