MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26227234f11b155d504617e9580d22efe5a9f95d52ce767bade994da339d0d90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26227234f11b155d504617e9580d22efe5a9f95d52ce767bade994da339d0d90
SHA3-384 hash: ef445b7dfdaa213855c28b40a3ae8dbb566392d74117adbd25a1439c39af0047a8a0749d2aeca25a5ea887dd79875cf8
SHA1 hash: 8183320a9a31c56f31e482d76240afbb4a6dae54
MD5 hash: 1ddc40fd6ae75ccf9fffe1f0a01a9d63
humanhash: timing-kentucky-lima-echo
File name:Payment notification.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:776'192 bytes
First seen:2021-01-11 09:19:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:G7nbXglNN+vvlmktiDOyykOfoQbbm6HmYj53kIPj/xCX9YctZNDib7O1WI22:G70ivhEOrkOQ8pGYjmsZCX9V87O1/1
Threatray 6 similar samples on MalwareBazaar
TLSH 59F4F14036B56F12FE3847F4452E480503FB786BB56AEB5C4CCAF1EA2166F064A52F63
Reporter abuse_ch
Tags:exe NetWire nVpn RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: smtp.hugedns.co.za
Sending IP: 102.67.140.104
From: Payment@capitecbank.co.za
Reply-To: No-reply@capitecbank.co.za
Subject: Payment Notification
Attachment: Payment notification.img (contains "Payment notification.exe")

NetWire RAT C2:
185.140.53.146:3393

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-11-06T23:02:44Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment notification.exe
Verdict:
Malicious activity
Analysis date:
2021-01-11 09:28:41 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/e4eb4795-0e7e-4bbc-95fe-1333e7aa164f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111268/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577784
Signature
.NET source code contains potential unpacker
Contains functionality to steal Chrome passwords or cookies
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: NetWire
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/26227234f11b155d504617e9580d22efe5a9f95d52ce767bade994da339d0d90/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-11 09:20:24 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eyrhenhrdmkv2ucgc7uvqdjc57s2t6k5klhhm65n5gknum45bwia._file
Verdict:
unknown
Similar samples:
03f59392c1339bb9b35acd1305d42e037f4173c8a5b97852b7451b7252f73f52
NetWire
32518775226efb9813e62e4fe5d66050bc7118ac804c8d08aeace793bd9ef635
NetWire
622cb2307249d677ec2bfe0781c5870e9882097c6f20e79741e1c552b259b428
NetWire
812e3a714bab007330415791cb76653b1488217fb1d22406244990e98879fe8e
NetWire
d8c75bc438ec5aced7b348cbb95cc0e1da4da409ad464d1ebe9fbae9f8a21a3c
NetWire
dea38651b06aab617e93bdb343fd28587bdc0e113a4fc957571a06988491ade7
NetWire
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210111-kwxrr813wx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
dee3f7ab31728db21b8b44595133a83207d00851ab4c2af95e720a20a5807a97
MD5 hash:
a96e33a0c6d3829b12e6d1e197363562
SHA1 hash:
1eef5e06ada6d6e648c7cf79a1b6e9197c766c79
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/8d4d0a69-b56f-4391-9cb0-84a0751f79d8/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/8d4d0a69-b56f-4391-9cb0-84a0751f79d8/
SH256 hash:
b88e0d8a0d0970552e010ad86ae7e7a18db0fae0b93e98f686da12acc1d382b9
MD5 hash:
3b40b882fe557c6adb41ae60e1934f94
SHA1 hash:
9189926cba958498b8e9336cd5976b50e54dd38d
Link:
https://www.unpac.me/results/8d4d0a69-b56f-4391-9cb0-84a0751f79d8/
SH256 hash:
26227234f11b155d504617e9580d22efe5a9f95d52ce767bade994da339d0d90
MD5 hash:
1ddc40fd6ae75ccf9fffe1f0a01a9d63
SHA1 hash:
8183320a9a31c56f31e482d76240afbb4a6dae54
Link:
https://www.unpac.me/results/8d4d0a69-b56f-4391-9cb0-84a0751f79d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26227234f11b155d504617e9580d22efe5a9f95d52ce767bade994da339d0d90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

img de9a014f04de8539634f9e335e7ae981834739b0c5ce71c09b3c4b021b298917

NetWire

Executable exe 26227234f11b155d504617e9580d22efe5a9f95d52ce767bade994da339d0d90

(this sample)

  
Dropped by
MD5 5589c458fa7898bfb7e85a5609c4899f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111268/
  
Dropped by
SHA256 de9a014f04de8539634f9e335e7ae981834739b0c5ce71c09b3c4b021b298917

Comments