MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b4e95e41bfcdfb87d4d21958cd3a794171978418067b0d003d37fc35e2d8b71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b4e95e41bfcdfb87d4d21958cd3a794171978418067b0d003d37fc35e2d8b71
SHA3-384 hash: ad0758c11311f76d7c15f0b543892893ed531051a994c95b569a350f42298965e7e5a2e9324d58da5ecb48c5c6547948
SHA1 hash: e9ecc7e81bfa57eeafbb98431275eb6f29ff7ba0
MD5 hash: 6c2eb9f9a2cafee30350d10ba6a19d5e
humanhash: one-uranus-pizza-uncle
File name:INV2278487.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:684'032 bytes
First seen:2022-04-28 08:13:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:lLLVFkcGSs0r/WYV2AxLWJeoTvYBD92MdRjqUwo5IG/Ypl5SFc0m0yabriKfWzbh:t5NQrT492KOUwtnYFtRytCvIhDJ
Threatray 1'007 similar samples on MalwareBazaar
TLSH T13EE40231B7DC8B67CBAF2B71E438421587F6A61B7662E74F5D90F0EA4C0671219027A3
TrID 49.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
21.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.9% (.SCR) Windows screen saver (13101/52/3)
7.1% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 69dca0e8e8e0c448 (22 x AgentTesla, 8 x SnakeKeylogger, 6 x Loki)
Reporter FORMALITYDE
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/267488/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1315.13969.22846.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
msbuild.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/626a4c968d02701a7e9016c4/reports/b643beca-02fd-4a5b-aa76-68d1cba57912/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98aee5d6-fdd4-4337-9b67-cf8bd5be7c08
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/984649
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b4e95e41bfcdfb87d4d21958cd3a794171978418067b0d003d37fc35e2d8b71/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-28 08:14:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dnhjlza37tp3q7knegkyzu5hsqlrs6cbqbt3buad2n74gxrnrnyq._file
Verdict:
malicious
Similar samples:
1e1598cc98aed52a46c1e28d2bf775232d01d6698eec3d3eadbc3a039167ed8b
NetWire
2e84d64eef0d8e78d17e8d286eeff95f97abe0048a66175e5e05d1fc31b0c5d4
NetWire
31db1eaded87c877869d4c247c2da6fa3be4de4f8bcaebf61f499c50275345d6
NetWire
5e6d2bd21400ace31fbbe40c90d5bc5bab25868d252964b1034fc2584525709b
NetWire
a2700363ab4167505a43f933449a4b25a9036f8fae65e46e28b9bb1ce319e9cb
NetWire
afd47bb332ef06bf7c4f7c4a4470cf5b6e2acb6c4db3b3e6f453ff0dfc4a63f7
NetWire
b43ad09955e20f4a1ea20acf2e196d51099570ff03719435f8cbfe7de923c54e
NetWire
+ 997 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220428-j4zlpsbeg8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
6af48b1e17f0c59ea61fd26c1670c6bd9e4fe9f9d3c79a56d91849713eedf7e1
MD5 hash:
681353894806f9e84a51e104c9848735
SHA1 hash:
ac45e61c4c7e622ce4fc563691a125063870f1b3
Link:
https://www.unpac.me/results/08fed1e8-0b29-4da7-9fce-167f8a2e4c46/
SH256 hash:
a05a84c94d79a05947143f2881e826dd8fd04611e07e9b833afa642a6c4868f0
MD5 hash:
8cbc7eeac12280c85b5c62c96c396bed
SHA1 hash:
507a8b29e1469ed29f91adb43dc7953c01e609f8
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/08fed1e8-0b29-4da7-9fce-167f8a2e4c46/
Parent samples :
1b4e95e41bfcdfb87d4d21958cd3a794171978418067b0d003d37fc35e2d8b71
283b2bc1a6b060d631bb5dda92f35bc627463f9fb8239ea1007b89d1afb1dede
SH256 hash:
92fc621e886ad486195efe1b074a5186c27599e3dd4d71c72cae3078b8660ae2
MD5 hash:
e80503550a2aa077f62f09c7dc6be7e4
SHA1 hash:
f93e86c149eac50b611a1f9a7b59f5d81026262c
Link:
https://www.unpac.me/results/08fed1e8-0b29-4da7-9fce-167f8a2e4c46/
SH256 hash:
acaec326d9c532e5fa2080347ba5cdc2710cb5a521996a5c11cd5c8950c83b5d
MD5 hash:
381fad6b47d85ac56790c252651e9fe7
SHA1 hash:
8a63fd185dd656c569072c40fd1079e8731fa4c1
Link:
https://www.unpac.me/results/08fed1e8-0b29-4da7-9fce-167f8a2e4c46/
SH256 hash:
1b4e95e41bfcdfb87d4d21958cd3a794171978418067b0d003d37fc35e2d8b71
MD5 hash:
6c2eb9f9a2cafee30350d10ba6a19d5e
SHA1 hash:
e9ecc7e81bfa57eeafbb98431275eb6f29ff7ba0
Link:
https://www.unpac.me/results/08fed1e8-0b29-4da7-9fce-167f8a2e4c46/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b4e95e41bfc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b4e95e41bfcdfb87d4d21958cd3a794171978418067b0d003d37fc35e2d8b71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe 1b4e95e41bfcdfb87d4d21958cd3a794171978418067b0d003d37fc35e2d8b71

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/267488/

Comments