MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e
SHA3-384 hash: dc8089e2a0d4bb0760a69feebb94562663c222f2ea4ae2830e23136ef6ead3136880af3ff2627952576077a6088c1c11
SHA1 hash: 25d20a249b0e1d38ecc0f368605ff39776645d1a
MD5 hash: 84e792790474ec5d19a491b9ec553b3d
humanhash: neptune-beer-hotel-stream
File name:INQ 80469046 DBT.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'025'536 bytes
First seen:2023-01-19 10:52:44 UTC
Last seen:2023-01-19 13:13:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:7gPD5Nb3ewHdqoXpDLycm6AP+nYWUP4tFd8vHX6E/VhL:7gPD5Nb/Jycm62+neP4tF6360VhL
Threatray 5'818 similar samples on MalwareBazaar
TLSH T16B25BFE5029DC6E6E8E60E38061C791467999C97837DA17EBEC3147F84F678F40783A2
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
INQ 80469046 DBT.exe
Verdict:
Malicious activity
Analysis date:
2023-01-19 10:54:06 UTC
Tags:
netwire
Link:
https://app.any.run/tasks/f16e4e23-f69a-459f-995a-47047f20c122

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354432/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65013071.3693.15191.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c9210eafdaca54d4396276/reports/6eb4cad5-3dfb-4473-8052-a35755376f23/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79d7deb1-c28b-4697-bc2a-5579e1af7b4d
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154547
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates autostart registry keys with suspicious names
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787279 Sample: INQ 80469046 DBT.exe Startdate: 19/01/2023 Architecture: WINDOWS Score: 100 77 Malicious sample detected (through community Yara rule) 2->77 79 Sigma detected: Scheduled temp file as task from temp location 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 11 other signatures 2->83 9 INQ 80469046 DBT.exe 7 2->9         started        13 qKcaUVIbG.exe 5 2->13         started        15 Host.exe 2->15         started        17 2 other processes 2->17 process3 file4 67 C:\Users\user\AppData\Roaming\qKcaUVIbG.exe, PE32 9->67 dropped 69 C:\Users\...\qKcaUVIbG.exe:Zone.Identifier, ASCII 9->69 dropped 71 C:\Users\user\AppData\Local\...\tmp54A8.tmp, XML 9->71 dropped 73 C:\Users\user\...\INQ 80469046 DBT.exe.log, ASCII 9->73 dropped 93 Adds a directory exclusion to Windows Defender 9->93 19 INQ 80469046 DBT.exe 3 9->19         started        22 powershell.exe 21 9->22         started        24 schtasks.exe 1 9->24         started        95 Multi AV Scanner detection for dropped file 13->95 97 Machine Learning detection for dropped file 13->97 99 Injects a PE file into a foreign processes 13->99 26 schtasks.exe 13->26         started        28 qKcaUVIbG.exe 13->28         started        30 schtasks.exe 15->30         started        32 Host.exe 15->32         started        34 qKcaUVIbG.exe 17->34         started        37 3 other processes 17->37 signatures5 process6 file7 65 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 19->65 dropped 39 Host.exe 5 19->39         started        42 conhost.exe 22->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        48 conhost.exe 30->48         started        85 Creates autostart registry keys with suspicious names 34->85 50 conhost.exe 37->50         started        52 conhost.exe 37->52         started        signatures8 process9 signatures10 87 Multi AV Scanner detection for dropped file 39->87 89 Machine Learning detection for dropped file 39->89 91 Adds a directory exclusion to Windows Defender 39->91 54 powershell.exe 39->54         started        56 schtasks.exe 39->56         started        58 Host.exe 39->58         started        process11 dnsIp12 61 conhost.exe 54->61         started        63 conhost.exe 56->63         started        75 212.193.30.230, 6063 SPD-NETTR Russian Federation 58->75 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e/
Threat name:
Win32.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2023-01-16 07:05:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
32 of 39 (82.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=daa2q5hcgclrqxbznx6mmjn6xlsjk56wlkixomzlr54rqeafjnha._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
NetWire
1bb72419895796c3a394f4b55f0c31959c992111803764d8167dcb6c7af3088c
NetWire
5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2
NetWire
98949b9cd7eb063eb4a2970136d3483b29891bd8c1c2ec6104e45b76f838ddf9
NetWire
99e8dfa23cef1d5d67c765df3de3bc6e750a2d8fa4628a9442d08fc40aaaa656
NetWire
b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
NetWire
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
NetWire
+ 5'808 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/230119-myyzrscf7z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
212.193.30.230:6063
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/be317315-0442-4077-ab9c-b4076d4be778
Unpacked files
SH256 hash:
3a1108ba9eb7617758c85b4795254d0b012a05d4acb5462d39363dc9f77e5eb5
MD5 hash:
8e5d2da72113328b9dbc4fd1b1ac94b6
SHA1 hash:
af5d6eb888a1646618f9b2d31f4a9dad6bdecd94
Link:
https://www.unpac.me/results/4582fa08-ff05-4a9f-816a-5d030b458130/
SH256 hash:
182cf65a5c796f50c29294fb6c3d23bcaf1aa662988a640e9034ee263002c791
MD5 hash:
4fe46357fa8c5e1c3ea20c2cacd0ebcd
SHA1 hash:
f61165e74b0dbf65916a82a9fb81ad0fda04392c
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/4582fa08-ff05-4a9f-816a-5d030b458130/
SH256 hash:
47671e7228459787f800299398fcb760125bd7a9950bf13e82ed868c94674431
MD5 hash:
6f3f16005586d93489853c13dfd6abae
SHA1 hash:
98cf6314fe463440ca8f423bd855a108b01fc752
Detections:
Netwire
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/4582fa08-ff05-4a9f-816a-5d030b458130/
Parent samples :
0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e
f81832eab926f0dfe31ac63017cb7f6d8fb933e31f6d8742f94a5cecf012bab1
a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570
SH256 hash:
4ff69adc138e80188ec9e6a7518b51187fe1efb412518c175fcfd7d7b5f0bbc5
MD5 hash:
d67c29a49d943457d90b875f8e4b3dcc
SHA1 hash:
67b34714abe278d9cd05375a208b042dd9c5f1d7
Link:
https://www.unpac.me/results/4582fa08-ff05-4a9f-816a-5d030b458130/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/4582fa08-ff05-4a9f-816a-5d030b458130/
SH256 hash:
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e
MD5 hash:
84e792790474ec5d19a491b9ec553b3d
SHA1 hash:
25d20a249b0e1d38ecc0f368605ff39776645d1a
Link:
https://www.unpac.me/results/4582fa08-ff05-4a9f-816a-5d030b458130/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1801a874e230/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe 1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e

(this sample)

  
Dropped by
NetWire
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/354432/

Comments