MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1aa7d80336821e86d39b12d3787619f82096e3e4e0004d82187067d92ac105cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1aa7d80336821e86d39b12d3787619f82096e3e4e0004d82187067d92ac105cf
SHA3-384 hash: f647766115bae4cb055366aabe4a30eeb177ffad3df3a842e47fec238a4da18c8e7f5583cf27ddff9e691210a2005356
SHA1 hash: 12bb2f88ad66da6b0c9083535f5ac6c245f36786
MD5 hash: ef4ad1a051199aaf77164623b178a27a
humanhash: florida-iowa-north-winter
File name:https___cdn-111.anonfiles.com_heCeW9x6u7_3be78282-1622068029_PO_20880538.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:215'540 bytes
First seen:2021-05-26 22:19:23 UTC
Last seen:2021-05-26 22:44:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:aQqgnO/83Z2UwLSQSKZyX9vQTmvbg8JljH2QxJ/Gxb:vnO/8p2/SQS3XOTSbvtB/Gxb
Threatray 481 similar samples on MalwareBazaar
TLSH 4D24124D62E490ABD4A709316E72CB64EBF6FB46270011BB5B702F6F176A083475B6C3
Reporter Racco42
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
356
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https___cdn-111.anonfiles.com_heCeW9x6u7_3be78282-1622068029_PO_20880538.exe
Verdict:
Malicious activity
Analysis date:
2021-05-26 22:26:38 UTC
Tags:
installer trojan netwire
Link:
https://app.any.run/tasks/0c13efd5-12e5-4cd4-a280-a901800262dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162597/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36972027.1255.2690.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a window
DNS request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792961
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 425357 Sample: https___cdn-111.anonfiles.c... Startdate: 27/05/2021 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for domain / URL 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 6 other signatures 2->39 6 ncyxsuhnn.exe 17 2->6         started        10 https___cdn-111.anonfiles.com_heCeW9x6u7_3be78282-1622068029_PO_20880538.exe 1 22 2->10         started        12 ncyxsuhnn.exe 17 2->12         started        process3 file4 21 C:\Users\user\AppData\Local\...\System.dll, PE32 6->21 dropped 41 Multi AV Scanner detection for dropped file 6->41 43 Detected unpacking (changes PE section rights) 6->43 45 Detected unpacking (overwrites its own PE header) 6->45 47 Machine Learning detection for dropped file 6->47 14 ncyxsuhnn.exe 6->14         started        23 C:\Users\user\AppData\...\ncyxsuhnn.exe, PE32 10->23 dropped 25 C:\Users\user\AppData\Local\...\System.dll, PE32 10->25 dropped 49 Contains functionality to log keystrokes 10->49 51 Contains functionality to steal Internet Explorer form passwords 10->51 53 Contains functionality to steal Chrome passwords or cookies 10->53 17 https___cdn-111.anonfiles.com_heCeW9x6u7_3be78282-1622068029_PO_20880538.exe 2 10->17         started        27 C:\Users\user\AppData\Local\...\System.dll, PE32 12->27 dropped 55 Maps a DLL or memory area into another process 12->55 19 ncyxsuhnn.exe 12->19         started        signatures5 process6 dnsIp7 29 sipex2021.ddns.net 79.134.225.7, 8753 FINK-TELECOM-SERVICESCH Switzerland 17->29 31 192.168.2.1 unknown unknown 19->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1aa7d80336821e86d39b12d3787619f82096e3e4e0004d82187067d92ac105cf/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 01:59:21 UTC
AV detection:
25 of 47 (53.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dkt5qazwqipinu43cljxq5qz7aqjny7e4aae3aqyobt5skwbaxhq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
328908f054c4a82ebcb35127b0e9c7924dcdb6c134b76f01b269a2dd23967b18
NetWire
76947dcfe886fe0e3273c7723140533999741f239a2ad7568a460cae74bb0e50
NetWire
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
NetWire
98a046d5edb9540592c6b45a2efa070864637109894d8d831e804ba09bbbcbb4
NetWire
9fedb9fe35eae9739d319565aed4cbd16325242f8815cdf21d12d02e5601109d
NetWire
bdfb906a3a02d8a28bef1d13d0abff090bc9582373e05e5f376186e9a7c5a902
NetWire
e5b32b4bb73f9bf50a9e4e3236ea3bf54577675b46d98deb142d668e7ea1653a
NetWire
ee105aefe05012972398fb6eed4c5b408b1c7c81072a5b97e99cd4072c4f853f
NetWire
f5d88ee96cd5fbdda828c9ec267600fb6308a11318f8290d6d15d34f64070f05
NetWire
fefea87ebfbd43c789033d46905fd2a11b8ea9d4c6b57691f23a89e8f8687992
NetWire
+ 471 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210526-ck4agcewee/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
sipex2021.ddns.net:8753
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/1aa7d80336821e86d39b12d3787619f82096e3e4e0004d82187067d92ac105cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/162597/

Comments