MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2387dfd712b954c865bb4927f0628c54bf30b9a115b2383c2dff63456885463a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 16


Intelligence 16 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2387dfd712b954c865bb4927f0628c54bf30b9a115b2383c2dff63456885463a
SHA3-384 hash: 2f3b7d17498fd7649992ad44881f3c257e1dfcdf7f61e92021ed1a9871f7eea7438bc194bd4fcbea068863f9c536c9f4
SHA1 hash: ef6354188bb751628852c7e35a6999b1d059da0a
MD5 hash: c1c565573c2e426e0a9e69fed42d4797
humanhash: nine-wyoming-don-ink
File name:Payment Receipt.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:877'568 bytes
First seen:2022-11-04 23:22:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:HOBVfs2sFLTAehm8buS89W7sATlCxy8CJ62f6a5CW5v6RsPHXc3b78eR5j:q8TAqbDNTyGJdf6A5HHXc338ePj
Threatray 5'307 similar samples on MalwareBazaar
TLSH T16D15E00F8BE6450ED66935B855F0EFB76799DC00F80BC75F16C6AD4BB8472209212BCA
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter GovCERT_CH
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
Payment Receipt.exe
Verdict:
Malicious activity
Analysis date:
2022-11-04 23:24:29 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/7e4a73ce-5dd5-4c54-8da8-d9b8bbecf01e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/328848/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.46272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63659ed73c6c57b4ec410ab8/reports/ddc171ba-8c59-42d5-92cb-ef570c6d3d40/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3914869-8abb-4679-b76a-cc2ddbc3cbe1
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1105867
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 738529 Sample: Payment Receipt.exe Startdate: 05/11/2022 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 15 other signatures 2->64 7 Payment Receipt.exe 7 2->7         started        11 qPvgLWJsJNHm.exe 5 2->11         started        13 Payment Receipt.exe 2->13         started        15 qPvgLWJsJNHm.exe 2->15         started        process3 file4 48 C:\Users\user\AppData\...\qPvgLWJsJNHm.exe, PE32 7->48 dropped 50 C:\Users\...\qPvgLWJsJNHm.exe:Zone.Identifier, ASCII 7->50 dropped 52 C:\Users\user\AppData\Local\...\tmp6857.tmp, XML 7->52 dropped 54 C:\Users\user\...\Payment Receipt.exe.log, ASCII 7->54 dropped 66 Adds a directory exclusion to Windows Defender 7->66 17 Payment Receipt.exe 3 7->17         started        20 powershell.exe 21 7->20         started        34 4 other processes 7->34 68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 72 Injects a PE file into a foreign processes 11->72 22 qPvgLWJsJNHm.exe 11->22         started        24 schtasks.exe 1 11->24         started        26 Payment Receipt.exe 13->26         started        28 schtasks.exe 13->28         started        30 qPvgLWJsJNHm.exe 15->30         started        32 schtasks.exe 15->32         started        signatures5 process6 dnsIp7 56 zonedx.ddns.net 85.209.134.105, 3360, 49695, 49696 CMCSUS Germany 17->56 36 conhost.exe 20->36         started        38 conhost.exe 24->38         started        40 conhost.exe 28->40         started        42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        46 conhost.exe 34->46         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2387dfd712b954c865bb4927f0628c54bf30b9a115b2383c2dff63456885463a/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-03 10:04:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eod57vysxfkmqzn3jet7ayumks7tbonbcwzdqpbn75ruk2efiy5a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2abcdb606044f4db592baa3f9c808bf4fcab2146c49d83ba45a4ccbb20bc8354
NetWire
50050a189f878a24b57acedf046acfe5011dae30f50a21054a75fcda2947ff5b
NetWire
8f24221caef706d4502572968c0cf1317e632ebcb64157a5a1dafbdde7fc642c
NetWire
b002c64f7d0ff0a952b72f31609e683f17bb23313417f6639afdec47d9187b25
NetWire
f3ba07ea43adc68f25d26028ec31b752001be473d77b69d5c89e1ef393d37812
NetWire
f6226702ec3ded25ec5e0d7d1cbaae386540e990857ec7604ec93284113b4897
NetWire
+ 5'297 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/221104-3c4wwsdghn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
zonedx.ddns.net:3360
85.209.134.105:3360
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/68869db4-0847-44b5-bdcd-ab4811664460
Unpacked files
SH256 hash:
86ddb2e4bfce524c740fc7275b6f82f753abe7517c8ddd6a1f22e84a53fe9403
MD5 hash:
6b873d54f6c0b15d473eec7b5e080ad6
SHA1 hash:
eab1744ae524ec63e618f099433993f9fca6b92e
Detections:
Netwire
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/a7d0dcae-643b-4454-9482-259c3d586658/
SH256 hash:
b2a04ae2b03a1739b424232b5c0f2fd40ebe9e171389c98e1a0a7d208a7fd19f
MD5 hash:
99bfbde010ddc6f3330cbdfd148b985e
SHA1 hash:
7a959e4c969f3c6c8fe1cbc2537f632366855442
Detections:
Netwire
Create hunting rule
win_netwire_auto
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/a7d0dcae-643b-4454-9482-259c3d586658/
Parent samples :
8f24221caef706d4502572968c0cf1317e632ebcb64157a5a1dafbdde7fc642c
2387dfd712b954c865bb4927f0628c54bf30b9a115b2383c2dff63456885463a
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/a7d0dcae-643b-4454-9482-259c3d586658/
SH256 hash:
0d6a0faee4b8560315d1d6d836d2daa73f064d965b127ff3d729e024179772ca
MD5 hash:
97831c8aacaaa3fa53b9cbf7d94fb440
SHA1 hash:
47cc66ef16678b94962d4d1b67def542b8457b23
Link:
https://www.unpac.me/results/a7d0dcae-643b-4454-9482-259c3d586658/
SH256 hash:
8354a7ad0499febdd288542828ad0355dcb7054c0c518266208e571c5122b0c6
MD5 hash:
6bfc7ce9ec7891d9d8494454332099b5
SHA1 hash:
34fc8cebba035e2cc6d27d636f9655949080bf8e
Link:
https://www.unpac.me/results/a7d0dcae-643b-4454-9482-259c3d586658/
SH256 hash:
2387dfd712b954c865bb4927f0628c54bf30b9a115b2383c2dff63456885463a
MD5 hash:
c1c565573c2e426e0a9e69fed42d4797
SHA1 hash:
ef6354188bb751628852c7e35a6999b1d059da0a
Link:
https://www.unpac.me/results/a7d0dcae-643b-4454-9482-259c3d586658/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2387dfd712b954c865bb4927f0628c54bf30b9a115b2383c2dff63456885463a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:malware_netwire_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:MAL_unspecified_Jan18_1_RID2F4A
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:netwire
Create hunting rule
Author:jeFF0Falltrades
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:Windows_Trojan_Netwire_1b43df38
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Netwire_6a7df287
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Netwire_f42cb379
Create hunting rule
Author:Elastic Security
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.
Rule name:win_netwire_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe 2387dfd712b954c865bb4927f0628c54bf30b9a115b2383c2dff63456885463a

(this sample)

  
Dropped by
netwire
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/328848/

Comments