MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21cef6da04f726523131dbde12855b6d1d6d65cc9b0075d05b90b7636b56c8da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21cef6da04f726523131dbde12855b6d1d6d65cc9b0075d05b90b7636b56c8da
SHA3-384 hash: a8af13ca87d243c5bac5ff4fabee34ccee55c85365e976ab8320dfb4dbcdedf4bc7d8ea95521d0701405b604f120fdf4
SHA1 hash: 2485386cfcbd5ced1d0457f1388c8963c4d51dfd
MD5 hash: 25ede3b274752bd243cd1bd128981457
humanhash: fillet-one-uniform-december
File name:76456765.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:664'820 bytes
First seen:2020-08-03 12:48:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b07fe93f682d6b1b3b4d415582d568f (2 x RemcosRAT, 2 x Formbook, 1 x Loki)
ssdeep 12288:+RxUDS00+p4VA3RX2+pTJc01omVeu4066CEj:+RxKd+A3RX20qfa006
Threatray 495 similar samples on MalwareBazaar
TLSH BCE4A023F6E18837C573297C5D5B96A8AF25BE112A38684E2FE40D4C8F396513D390DB
Reporter abuse_ch
Tags:exe NetWire nVpn RAT


Avatar
abuse_ch
Malspam distributing NetWire:

From: doris.sun <doris.sun@dl-hb.net>
Subject: RFQ_76456765
Attachment: RFQ_76456765.rar (contains "76456765.exe")

NetWire RAT C2:
okamoto.hopto.org:3871 (194.5.97.15)

Pointing to nVpn:

% Information related to '194.5.97.0 - 194.5.97.255'

% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@kgb-vpn.org'

inetnum: 194.5.97.0 - 194.5.97.255
netname: NET-NINAZU
remarks: ------------------------------------------
remarks: * This network is used for a VPN service.
remarks: * No logs are stored in any shape or form.
remarks: ------------------------------------------
country: EU
admin-c: NVS100-RIPE
tech-c: NVS100-RIPE
org: ORG-NVS2-RIPE
mnt-by: NINAZU-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-02T13:13:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37809/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Setting a single autorun event
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/407888
Signature
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NetWire
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21cef6da04f726523131dbde12855b6d1d6d65cc9b0075d05b90b7636b56c8da/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 12:50:08 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ehhpnwqe64tfemjr3ppbfbk3nuow2zomtmahluc3sc3wg22wzdna._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
090c4ff20568f647c80d5ae386bf5aedd9d8b066066a465b5300f8bd42ff1282
NetWire
2928d0d53b459f6b822fd781360a743b3548f31c31c012ba8a25b42235aff154
NetWire
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
NetWire
5336d0fb346782de19c1a549e7ced6ca5c73fbcf897ac78d645219ec2033bdb5
NetWire
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
NetWire
8c940846bd45f30de0358c90c8caef670b5e15bc9468452418d215c40ed62a20
NetWire
934609a4e6bbf6eda68c1a09fbd0d5e331229f974148c21aa99add9f94171ec1
NetWire
b0a98ae8b1dadc3b181f6252abef59940ceeb5019cd4ae2f0feadb0a520063cd
NetWire
df2688f6f88ea0e66b46d856e514adf25f8456cb4e45c849233799e17b1171e3
NetWire
ece26faace5bcf7afeba359279d17aeb7f99f739fce454e964c88ebad9745bdb
NetWire
+ 485 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
persistence botnet stealer family:netwire
Link:
https://tria.ge/reports/200803-r76nxajkdn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21cef6da04f726523131dbde12855b6d1d6d65cc9b0075d05b90b7636b56c8da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar 0b5914f4e05c132523ea6d767fdbcfc17006055f1da5a2f4e6d2cb345adc8e51

NetWire

Executable exe 21cef6da04f726523131dbde12855b6d1d6d65cc9b0075d05b90b7636b56c8da

(this sample)

  
Dropped by
MD5 53e93b27bf99c110b603bb56ee5859c5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37809/
  
Dropped by
SHA256 0b5914f4e05c132523ea6d767fdbcfc17006055f1da5a2f4e6d2cb345adc8e51

Comments