MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 174abb1d310ed4d66212452b8fa479ba77b8a83ba848a6bb748d68c99c16b04f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 174abb1d310ed4d66212452b8fa479ba77b8a83ba848a6bb748d68c99c16b04f
SHA3-384 hash: bd7cb28c0e6b5fbbc5dac221b2a4f31268fa1b5843fde307600755fab40b4c310b4424a278837a355e35b39fd19ea883
SHA1 hash: c0c27e7a17e23460ebdbc48891fb1aa0c1d5e7b6
MD5 hash: 65367593dd25c69bb2e1e3026f2553bf
humanhash: single-winner-october-crazy
File name:draftdocumentsofladingdocumentsMay11052021Sca.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:638'976 bytes
First seen:2021-05-10 08:45:21 UTC
Last seen:2021-05-10 09:54:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97e2c12caa019c315f32545fbee08713 (1 x NetWire)
ssdeep 12288:ISbkTbogZzP7B9RAzSXa2y7bBXjGLjL2SPuixPvr+AIzJgRTx:IZbogtPlHAzSXa2y7blD6pk65x
Threatray 414 similar samples on MalwareBazaar
TLSH 25D4BF06A2549AFAF167E6B609A67D3485A4D9B02F2F4CC3E3C36D1E9536AD13334307
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
193.183.217.73:6577

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.183.217.73:6577 https://threatfox.abuse.ch/ioc/34355/

Intelligence

File Origin
# of uploads :
3
# of downloads :
373
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_DRAFT_1105.xxe
Verdict:
Malicious activity
Analysis date:
2021-05-10 08:21:59 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/6cb876f4-6865-4b21-afe4-813fffe3babf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153864/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.24933.26067.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
DNS request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Osiris NetWire
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/777152
Signature
Antivirus detection for dropped file
Detected Osiris Trojan
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/174abb1d310ed4d66212452b8fa479ba77b8a83ba848a6bb748d68c99c16b04f/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 08:44:24 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c5flwhjrb3knmyqsiuvy7jdzxj33rkb3vbekno3urvumthawwbhq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1dcddce0408092a22c015e183e463020a7231e1f5ca47e71acad4ddcfb0f2385
NetWire
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
NetWire
404655117f92200c14e7c2aa641f27337e18bf8d148e73bbc5d7d37b73b7fc28
NetWire
52dc772f8a1fba5d23b2bd62f1762d49f180579d561bbb64d84f97f4c3a7b2cd
NetWire
63d0937af7bf53fe0b74ae6631452ff2d254ab6c7e1d0a62372f1f6992a1a1fd
NetWire
66ba5ddfe4ba8eff18b461334b8e589d64ee3421fe7f5cd9e1c614e3661f70a3
NetWire
685b70f024513870b1ffa123ee698d21fc4545dbf06dc87608e1794dd3c6b978
NetWire
8cafd9b602e666abf81ea94c48663a8a1ebbf06746ed799be5184ecb748ae304
NetWire
934609a4e6bbf6eda68c1a09fbd0d5e331229f974148c21aa99add9f94171ec1
NetWire
df2688f6f88ea0e66b46d856e514adf25f8456cb4e45c849233799e17b1171e3
NetWire
+ 404 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet stealer
Link:
https://tria.ge/reports/210510-vj9p7mpg9e/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Netwire
Unpacked files
SH256 hash:
5d2c57851885ec5632a11354643445fdc4a9bd5c912626b069f2b94ac1371bb9
MD5 hash:
73b2e4987cabc6f8ec1e45b0368f8b08
SHA1 hash:
9efa63ceeff1d48a9b977cf67a642f2dd4cad949
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/efd9bbca-b137-4192-9c47-0c247d26a8fd/
SH256 hash:
174abb1d310ed4d66212452b8fa479ba77b8a83ba848a6bb748d68c99c16b04f
MD5 hash:
65367593dd25c69bb2e1e3026f2553bf
SHA1 hash:
c0c27e7a17e23460ebdbc48891fb1aa0c1d5e7b6
Link:
https://www.unpac.me/results/efd9bbca-b137-4192-9c47-0c247d26a8fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/174abb1d310ed4d66212452b8fa479ba77b8a83ba848a6bb748d68c99c16b04f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153864/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-10 09:00:42 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [F0002.001] Collection::Application Hook
3) [F0002.002] Collection::Polling
4) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
5) [C0019] Data Micro-objective::Check String
6) [C0045] File System Micro-objective::Copy File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [C0007] Memory Micro-objective::Allocate Memory
11) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
14) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
15) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
16) [C0040] Process Micro-objective::Allocate Thread Local Storage
17) [C0041] Process Micro-objective::Set Thread Local Storage Value
18) [C0018] Process Micro-objective::Terminate Process