MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 191f29c5b494d3d2c31e054cfd7b1ceaaa49d3376627e8b4bcef7181f4602233. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 191f29c5b494d3d2c31e054cfd7b1ceaaa49d3376627e8b4bcef7181f4602233
SHA3-384 hash: f0f5d5887abac2cb344aebfeb8475d898c92fe3b8caa5c1b956987ad4cc6c0a572e55d554a9ea12856140859e7443668
SHA1 hash: 914a3e4959db06592e2d37c20e1641969c1ffaa2
MD5 hash: 6601eb2222ec03421fd91ceff474ad6f
humanhash: snake-two-bravo-chicken
File name:Label_Details.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:849'920 bytes
First seen:2022-05-13 06:07:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 372320713f1e564a0d81de3a05ba3938 (1 x NetWire, 1 x RemcosRAT)
ssdeep 24576:r9aucRtDQ5oOKwNoYe2Agn4NuDJR6eD0y:JkmmGWeD0
TLSH T1F205C063F2D05237D023DE395D57A2695825BF112F29D88A2FE06EBC5F36782381B193
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 7cf6b6aa8ed8e8b4 (18 x Formbook, 8 x DBatLoader, 7 x AveMariaRAT)
Reporter lowmal3
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
389
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270294/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17452/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe keylogger packed
Link:
https://www.filescan.io/uploads/627df5c5ce11c3e7ab090972/reports/9145b88f-5924-408a-b954-e3129cc4c047/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/65182bd1-3eff-48a2-b5c5-5ff6fadbfcee
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993320
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 625816 Sample: Label_Details.exe Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 3 other signatures 2->59 8 Label_Details.exe 1 22 2->8         started        13 Htdtted.exe 14 2->13         started        15 Htdtted.exe 17 2->15         started        process3 dnsIp4 39 onedrive.live.com 8->39 47 2 other IPs or domains 8->47 33 C:\Users\Public\Libraries\Htdtted.exe, PE32 8->33 dropped 35 C:\Users\...\Htdtted.exe:Zone.Identifier, ASCII 8->35 dropped 69 Writes to foreign memory regions 8->69 71 Allocates memory in foreign processes 8->71 73 Creates a thread in another existing process (thread injection) 8->73 17 logagent.exe 2 8->17         started        21 cmd.exe 1 8->21         started        41 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49783, 49785 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->41 43 onedrive.live.com 13->43 49 2 other IPs or domains 13->49 75 Injects a PE file into a foreign processes 13->75 23 logagent.exe 13->23         started        45 onedrive.live.com 15->45 51 2 other IPs or domains 15->51 25 logagent.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 194.36.111.59, 49781, 5839 M247GB Romania 17->37 61 Contains functionality to log keystrokes 17->61 63 Found evasive API chain (may stop execution after checking mutex) 17->63 65 Found stalling execution ending in API Sleep call 17->65 67 2 other signatures 17->67 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/191f29c5b494d3d2c31e054cfd7b1ceaaa49d3376627e8b4bcef7181f4602233/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-05-13 06:08:07 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=depstrnustj5fqy6avgp26y45kvetuzxmyt6rnf455yyd5daeizq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:netwire botnet persistence rat stealer trojan
Link:
https://tria.ge/reports/220513-gvwscafgdm/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
194.36.111.59:5839
213.152.161.249:5839
184.75.221.115:5839
217.151.98.163:5839
37.120.217.243:5839
Unpacked files
SH256 hash:
21c0fb2b53a8dc9d38a9cef684adce53f0dd311c3e8861cddda7946408f00b77
MD5 hash:
e91f52a1d9b8f23ae40be2e76017452c
SHA1 hash:
f86fd2cfcc8513e76c7c3ae74ae03d509aa3f453
Link:
https://www.unpac.me/results/75858d5a-3f0c-4dce-9ebd-4c35afac9b29/
SH256 hash:
3474c262eed6955e86145199ed96f5536630f9fe6d90979180d1431b7293b440
MD5 hash:
cd02b4c7e56f1edcc4116648b9a182f7
SHA1 hash:
38197ba2a2224a87259604755e3942d23a44bb91
Link:
https://www.unpac.me/results/75858d5a-3f0c-4dce-9ebd-4c35afac9b29/
SH256 hash:
191f29c5b494d3d2c31e054cfd7b1ceaaa49d3376627e8b4bcef7181f4602233
MD5 hash:
6601eb2222ec03421fd91ceff474ad6f
SHA1 hash:
914a3e4959db06592e2d37c20e1641969c1ffaa2
Link:
https://www.unpac.me/results/75858d5a-3f0c-4dce-9ebd-4c35afac9b29/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/191f29c5b494/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/191f29c5b494d3d2c31e054cfd7b1ceaaa49d3376627e8b4bcef7181f4602233

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe 191f29c5b494d3d2c31e054cfd7b1ceaaa49d3376627e8b4bcef7181f4602233

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/270294/

Comments