MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e1598cc98aed52a46c1e28d2bf775232d01d6698eec3d3eadbc3a039167ed8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 4 File information Comments

SHA256 hash:	1e1598cc98aed52a46c1e28d2bf775232d01d6698eec3d3eadbc3a039167ed8b
SHA3-384 hash:	1ad990a923ae9125568874bda3cfbddb0a236c349b3ea18c909e7a9085a3dffde5f2250ec8af324a9acb80a40cd2c84d
SHA1 hash:	dc701de083f206107d9fb097a1ed25b726315e6a
MD5 hash:	24e2eabeea1477f9e565e30709d5bebd
humanhash:	music-illinois-west-red
File name:	PO-0867-XDS1047597-Order pdf.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	667'648 bytes
First seen:	2022-04-22 07:10:39 UTC
Last seen:	2022-04-22 07:51:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:S+hUKgN3/IMiz9mRPq8pIa+jlYPQQN2v4lRGe5uPCamWwnhhAYtv/h9:sN3v3RPxpIzjeFN2v4Se5uaaehhBdh
Threatray	853 similar samples on MalwareBazaar
TLSH	T12EE412927BD8C0A0D87EE37568D7044B53F4C647A30D671A488796B72BA03912B5BFCE
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8f312d4d4d398363 (3 x NetWire)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
69.12.64.134:8844

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
69.12.64.134:8844	https://threatfox.abuse.ch/ioc/524619/

Intelligence

File Origin

# of uploads :

# of downloads :

444

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/265645/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.14290.26058.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed pos replace.exe

Link:

https://www.filescan.io/uploads/6262550fffe27d51192cf176/reports/01353f7e-54b0-4713-abf0-973dead929b1/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/58a711ea-fb09-40ed-89c6-a84074f8fe5a

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/981163

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: Suspicious Add Scheduled Task From User AppData Temp

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1e1598cc98aed52a46c1e28d2bf775232d01d6698eec3d3eadbc3a039167ed8b/

Threat name:

ByteCode-MSIL.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2022-04-22 07:11:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dykzrteyv3ksurwb4kgsx53vemwqdvtjr3wd2pvnxq5ahelh5wfq._file

Verdict:

malicious

NetWire

3db7b6003f173b4b0faff6725ce88a9db8d636fd431901ed32cccd494ff2a29e

NetWire

5b8124423be6af37ad74816af0d1df049bc6d740117e934947b067d5fa61eb0b

NetWire

a2700363ab4167505a43f933449a4b25a9036f8fae65e46e28b9bb1ce319e9cb

NetWire

afd47bb332ef06bf7c4f7c4a4470cf5b6e2acb6c4db3b3e6f453ff0dfc4a63f7

NetWire

e4bba9c2af86f903aeecbaf44534222faf78b07bdb4c7604e747ecd6898e38e2

NetWire

+ 843 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220422-hzx2msbbd9/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

NetWire RAT payload

Netwire

Unpacked files

SH256 hash:

cb5c3bfd129c16be637f36a412aa5da709ff174b480c71f5856d6153ea4938d7

MD5 hash:

e16e1dd44fa548616b2d8cb3aa693f63

SHA1 hash:

36ae663197652b24814692309cfa2f7aad31b2ce

Detections:

win_netwire_g1

Link:

https://www.unpac.me/results/a7f7d608-004b-4c98-bf0f-762e1c79d197/

SH256 hash:

ee8ea5e274e98e735bcbc3e2e2f8e4ac04e35f5b1106193d76469e16feaa4bdc

MD5 hash:

f85dc48bfd8d9712871493d02777b1ba

SHA1 hash:

3040d662d173336c148ec40dbfae2b7da6474bbd

Link:

https://www.unpac.me/results/a7f7d608-004b-4c98-bf0f-762e1c79d197/

SH256 hash:

8e1b71477c489cbc954c8d54d08284f759ab2cd1b65050128ecbda9ebe16904d

MD5 hash:

b477c0f043954b457d5f0f91327ec606

SHA1 hash:

0db8774ef3e2b8245504f66a35afcf987ebdaaba

Link:

https://www.unpac.me/results/a7f7d608-004b-4c98-bf0f-762e1c79d197/

SH256 hash:

9c36d99dbfc69f7b3275e2833e3ac4cbab780cec713af3a0fe4e789b5d823a4e

MD5 hash:

f27fbba6d504e3e6110e9719503c798b

SHA1 hash:

06c80db3c21ebefdea7bca6615e453f2cfb87149

Link:

https://www.unpac.me/results/a7f7d608-004b-4c98-bf0f-762e1c79d197/

SH256 hash:

1e1598cc98aed52a46c1e28d2bf775232d01d6698eec3d3eadbc3a039167ed8b

MD5 hash:

24e2eabeea1477f9e565e30709d5bebd

SHA1 hash:

dc701de083f206107d9fb097a1ed25b726315e6a

Link:

https://www.unpac.me/results/a7f7d608-004b-4c98-bf0f-762e1c79d197/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1e1598cc98aed52a46c1e28d2bf775232d01d6698eec3d3eadbc3a039167ed8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_NetWire Create hunting rule
Author:	ditekSHen
Description:	Detects NetWire RAT

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/265645/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample