MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c4c2da9632d0c694a0f24b66635e4237070e4ed05879314415a6eca69443138. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c4c2da9632d0c694a0f24b66635e4237070e4ed05879314415a6eca69443138
SHA3-384 hash: df542024c3a8de8863fe7f42bb22d2db2d4188c289de3a01cbb14bf47277bc0bc46fef406f8ecbe034357853d305dd47
SHA1 hash: 54371a729794a78672b7ee4f3b00c104110cb5ce
MD5 hash: 7ae0717196102b552453ce01a2016eed
humanhash: zulu-fifteen-aspen-nine
File name:Our New Order Feb 22 2021 at 2.30_PVV440_PDF.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:559'104 bytes
First seen:2021-02-22 18:52:46 UTC
Last seen:2021-02-22 20:30:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:f822C59+VPkKma5cJwhGAd93Y2nf3AVZWjNMdeytvn:15wP135cJw5d36Qjfy
Threatray 332 similar samples on MalwareBazaar
TLSH C3C4AE256B48BB2CE57E9737C9A0545F93FAFC1382A2D56B2CE131AF4C63F844720916
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: servidor2.mediosenred.tv
Sending IP: 5.145.175.121
From: Dusan Matkovic <Dusan.azih@getinge.com>
Subject: RE: AW: Our New Order//Shipment No.00187
Attachment: Our New Order Feb 22 2021 at 2.30_PVV440_PDF.img (contains "Our New Order Feb 22 2021 at 2.30_PVV440_PDF.exe")

NetWire RAT C2:
mmakopl.duckdns.org:5569

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118376/
Detection(s):
SecuriteInfo.com.FileRepMalware.15383.18355.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614452
Signature
Contains functionality to steal Chrome passwords or cookies
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: NetWire
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1c4c2da9632d0c694a0f24b66635e4237070e4ed05879314415a6eca69443138/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 18:53:06 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=drgc3kldfuggssqpes3gmnpeenyhbzhnawdzgfcbljxmu2kege4a._file
Verdict:
suspicious
Similar samples:
134447d4a42fa0c68719a166022b19728ab3b771a025fcb40b9e01eb0472bd8b
NetWire
4990b0164b660d9e8966fb35fc3d5f4f30b42c7e3861a14fc9255075b129c86e
NetWire
4c5cbccc8138f4f003b85294224f0459daf2182b6211be55b62abf62919d4b05
NetWire
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
NetWire
750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec
NetWire
7a6dec2d6d0f46a15bcaa0b667eb864a6c3c93743727530fdbd4253a2a4a0fab
NetWire
ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040
NetWire
e243f4e848dcd9895b983893416c98f2f0a39163bc8a2d5d53bf04f63e0a7c2c
NetWire
e56fe870da3015a5537b82acf5b9228953cafa74235b5c9257eaf049a6045cc6
NetWire
e7063cc17e4ab85b0ae947f6366f4a955758d2e3ef81bb2476f77aec1f77daae
NetWire
+ 322 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210222-vd6y4vww72/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44
MD5 hash:
b6ce7c1d81b9271eab825ea63de154c3
SHA1 hash:
0e7b89555314f8908c1098b652c9bf50e5ecc27b
Link:
https://www.unpac.me/results/2cef1136-f34c-452e-85f5-0c7af700c7c8/
SH256 hash:
1c4c2da9632d0c694a0f24b66635e4237070e4ed05879314415a6eca69443138
MD5 hash:
7ae0717196102b552453ce01a2016eed
SHA1 hash:
54371a729794a78672b7ee4f3b00c104110cb5ce
Link:
https://www.unpac.me/results/2cef1136-f34c-452e-85f5-0c7af700c7c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c4c2da9632d0c694a0f24b66635e4237070e4ed05879314415a6eca69443138

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

img 3fdb7f894f8a9971ee561d74f3ebecbc579f9233face1c4415f102f48f6db07c

NetWire

Executable exe 1c4c2da9632d0c694a0f24b66635e4237070e4ed05879314415a6eca69443138

(this sample)

  
Dropped by
MD5 267d3bb5f99ff63a9ee3f3c0ca3e1c06
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118376/
  
Dropped by
SHA256 3fdb7f894f8a9971ee561d74f3ebecbc579f9233face1c4415f102f48f6db07c

Comments