MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23f943791b5757309e0fa0531c4f347ecba3d45d568cd1aae3f6828af0c0ea1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23f943791b5757309e0fa0531c4f347ecba3d45d568cd1aae3f6828af0c0ea1d
SHA3-384 hash: dedee09673ec1b75a50419dd6890f9288e155fa3e41b9a4c63ff560ed824e70b5cfc852dfc0498b600e09418ba610128
SHA1 hash: 104061e6bb2457cd2a9578e2d52e262e5516066d
MD5 hash: 2a41ef7c698c0fb98b23387ccd1314df
humanhash: snake-lithium-equal-ten
File name:CON#8735.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:817'152 bytes
First seen:2021-09-20 17:40:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:GqDijoMSmtiK5o6jZ4VhkOM1eDd56uYsXFVBHxyAXPXekGQK:Gs+Fo3cOagVXFP/XzZK
Threatray 10'495 similar samples on MalwareBazaar
TLSH T11E05ADC13D47D89BF4DF2AB398AFC4201165AE8D9161C73D26927B2B54F3352306BA4E
File icon (PE):PE icon
dhash icon b282b8a4a6929e9e (23 x Formbook, 20 x AgentTesla, 9 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
194.5.98.25:5345

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.25:5345 https://threatfox.abuse.ch/ioc/223788/

Intelligence

File Origin
# of uploads :
1
# of downloads :
571
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CON#8735.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 17:43:18 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/bc2deaae-0280-4ba2-b105-58c7876e65c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189540/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.6763.29956.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68324d11-aaeb-4a28-8a00-3a2dc72e8b40
Result
Threat name:
AgentTesla NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854316
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to steal Chrome passwords or cookies
Creates multiple autostart registry keys
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected NetWire RAT
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486747 Sample: CON#8735.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected AgentTesla 2->69 71 Yara detected Telegram RAT 2->71 73 6 other signatures 2->73 8 CON#8735.exe 15 7 2->8         started        13 cay.exe 2->13         started        15 uyp.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 59 cdn.discordapp.com 162.159.133.233, 443, 49736 CLOUDFLARENETUS United States 8->59 47 C:\Users\user\AppData\Local\Temp\bete.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\...\CON#8735.exe.log, ASCII 8->49 dropped 85 Writes to foreign memory regions 8->85 87 Allocates memory in foreign processes 8->87 89 Injects a PE file into a foreign processes 8->89 19 bete.exe 7 8->19         started        23 MSBuild.exe 3 8->23         started        91 Antivirus detection for dropped file 13->91 93 Multi AV Scanner detection for dropped file 13->93 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->95 97 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 13->97 99 Machine Learning detection for dropped file 15->99 101 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->101 61 192.168.2.1 unknown unknown 17->61 63 betterday.duckdns.org 17->63 65 betterday.duckdns.org 17->65 file5 signatures6 process7 file8 41 C:\Users\user\AppData\Local\Temp\maur.exe, PE32 19->41 dropped 43 C:\Users\user\AppData\Local\Temp\49.exe, PE32 19->43 dropped 45 C:\Users\user\AppData\Local\Temp\22.exe, PE32 19->45 dropped 75 Antivirus detection for dropped file 19->75 77 Multi AV Scanner detection for dropped file 19->77 79 Machine Learning detection for dropped file 19->79 25 22.exe 2 6 19->25         started        29 49.exe 2 4 19->29         started        31 maur.exe 19->31         started        81 Contains functionality to steal Chrome passwords or cookies 23->81 33 Host.exe 4 23->33         started        signatures9 process10 file11 51 C:\Users\user\AppData\Local\Temp\...\cay.exe, PE32 25->51 dropped 103 Antivirus detection for dropped file 25->103 105 Multi AV Scanner detection for dropped file 25->105 107 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->107 115 4 other signatures 25->115 53 C:\Users\user\AppData\Local\Temp\...\uyp.exe, PE32 29->53 dropped 109 Tries to steal Mail credentials (via file access) 29->109 111 Machine Learning detection for dropped file 29->111 113 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 29->113 55 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 31->55 dropped 35 Host.exe 31->35         started        39 conhost.exe 33->39         started        signatures12 process13 dnsIp14 57 betterday.duckdns.org 194.5.98.25, 49739, 49745, 49746 DANILENKODE Netherlands 35->57 83 Creates multiple autostart registry keys 35->83 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23f943791b5757309e0fa0531c4f347ecba3d45d568cd1aae3f6828af0c0ea1d/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 17:41:04 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ep4ug6i3k5ltbhqpubjrytzup3f2hvc5k2gndkxd62biv4ga5ioq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0538554b73f98f395950af81f30e4fc99407e991babdce510bb61f9f9b56f23e
NetWire
06835e2c284ded66ca44497caf918d1ce6f216e68af866e85ac6fb79332b75f7
NetWire
1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216
NetWire
2cda176ce221ab580e6d9bbebc4333fa2156c33c9d4e3666c38eba656e13ef6b
NetWire
3afedea501a9bca64d1d400f5e3aa79e1f0d359a035d84569c123d49458425f2
NetWire
482a6a0bf95d313de664dec7523d7487995d5f26e1a30b8bc62c0a5e1431fbd7
NetWire
760c5c96174d0f5f899970f3b35da290b831f4c85221b1e274a5491fcf08b264
NetWire
8c940846bd45f30de0358c90c8caef670b5e15bc9468452418d215c40ed62a20
NetWire
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa
NetWire
bcdc3a6d1789655987f5d907b4448d4cf1f5c862b6f24b91ae7b73dcaca65b2a
NetWire
+ 10'485 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:netwire botnet keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210920-v9ez2aeff8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
AgentTesla
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
betterday.duckdns.org:5345
https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument
Unpacked files
SH256 hash:
7aca473b092444754e753820396f40e5be95fb08b8c672ef52c73e92b452e13c
MD5 hash:
37c22aeaa464214a9877e62661fe0f64
SHA1 hash:
ebc78b07c4507934a0ba4e746b8ded21ec448ac0
Link:
https://www.unpac.me/results/fffe6af9-1946-4564-a5f1-8a37d59764af/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/fffe6af9-1946-4564-a5f1-8a37d59764af/
SH256 hash:
7e6fa0a42ec2f1fe4b480c6ac97da7181c09089ad6045acb69e92b8a2e6d73cd
MD5 hash:
fbc14e440fd067cbdc3e18d939e9e638
SHA1 hash:
26fe0780a2d652b401b00d573c77f95853bdb293
Link:
https://www.unpac.me/results/fffe6af9-1946-4564-a5f1-8a37d59764af/
SH256 hash:
0d46fa6b67893cdfa116756b67b4f342aa093ac2e4e9574fd2e9b60ada66b5fe
MD5 hash:
2f04be5ed8911b97868e8b859ff9072a
SHA1 hash:
20cd1daa8a424579316faf62026806587a70578e
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/fffe6af9-1946-4564-a5f1-8a37d59764af/
Parent samples :
d55aa6bea84dd9982c908b020d9529679c6219f9da29a794af64894eb9f092dc
23f943791b5757309e0fa0531c4f347ecba3d45d568cd1aae3f6828af0c0ea1d
be2073e4f262c4e72167e22c77958fa4e7b4fb08c63c213e2cfdd5b9a3b30f50
SH256 hash:
23f943791b5757309e0fa0531c4f347ecba3d45d568cd1aae3f6828af0c0ea1d
MD5 hash:
2a41ef7c698c0fb98b23387ccd1314df
SHA1 hash:
104061e6bb2457cd2a9578e2d52e262e5516066d
Link:
https://www.unpac.me/results/fffe6af9-1946-4564-a5f1-8a37d59764af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23f943791b5757309e0fa0531c4f347ecba3d45d568cd1aae3f6828af0c0ea1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189540/

Comments