MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27fc1cbcf702e483b8eec78bc2605e0d45dda7f0dae2c0adcd6f90b396a1151e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27fc1cbcf702e483b8eec78bc2605e0d45dda7f0dae2c0adcd6f90b396a1151e
SHA3-384 hash: d8d4bdedf6ff14514b002b5f02ce6b2aa7398a9b565ddd305b7b9d27f548b55969ae3b43fcaad66834e9644142470952
SHA1 hash: 5d410ff26c177bfa4cd74fe472a7043e89091fda
MD5 hash: 4da0b88dce6ebc7197555fbd66d07224
humanhash: utah-venus-nevada-rugby
File name:Albedo Telecom Price 202106075254-Request.XLS.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'587'712 bytes
First seen:2021-06-07 06:46:52 UTC
Last seen:2021-06-07 07:46:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:CvIm1pHFmUVYtXiZmpeQQ+CIDSgFb5u1HvCXGm0:+/HFmUYtXiZmVxugBA1HvCB
Threatray 465 similar samples on MalwareBazaar
TLSH 9F758B222394A5DBE17E9E752C64440872F6BD4AD566DB2EFD8471CA08F3B40D301BBB
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
74.201.28.116:3021

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
74.201.28.116:3021 https://threatfox.abuse.ch/ioc/72229/

Intelligence

File Origin
# of uploads :
2
# of downloads :
386
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Albedo Telecom Price 202106075254-Request.XLS.exe
Verdict:
Malicious activity
Analysis date:
2021-06-07 06:52:15 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/9d20de31-317e-4c2c-99bf-60af6771e39a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164913/
Detection(s):
SecuriteInfo.com.Win32.PWSX-genTrj.25326.30817.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797841
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430237 Sample: Albedo Telecom Price 202106... Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected NetWire RAT 2->41 43 7 other signatures 2->43 7 Albedo Telecom Price 202106075254-Request.XLS.exe 7 2->7         started        process3 file4 29 C:\Users\user\AppData\...\aJlrEzzPvFaBt.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\Temp\tmpD08.tmp, XML 7->31 dropped 33 Albedo Telecom Pri...Request.XLS.exe.log, ASCII 7->33 dropped 45 Writes to foreign memory regions 7->45 47 Allocates memory in foreign processes 7->47 49 Adds a directory exclusion to Windows Defender 7->49 51 Injects a PE file into a foreign processes 7->51 11 vbc.exe 7->11         started        15 powershell.exe 22 7->15         started        17 powershell.exe 26 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 35 finerthings.duckdns.org 74.201.28.116, 3021, 49740 DEDIPATH-LLCUS United States 11->35 53 Contains functionality to steal Chrome passwords or cookies 11->53 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        27 conhost.exe 19->27         started        signatures8 process9
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/27fc1cbcf702e483b8eec78bc2605e0d45dda7f0dae2c0adcd6f90b396a1151e/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 06:47:08 UTC
AV detection:
1 of 46 (2.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e76bzphxalsihohoy6f4eyc6bvc53j7q3lrmblonn6ilhfvbcupa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2e5d08e10497cdd14499b4ae823f7d639a738d37784882db758e70fa3804e4e9
NetWire
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
NetWire
7c7a7c3e89daeb57bcd8fe5a895461161efafa3a5b2f111e0e23aff6b3f9535a
NetWire
91f4cceeb3b8d11e2408bd72aead7513f7031226e5ebc969611379b1bd04256a
NetWire
abd18b2d7cfc702e56442f2549808b301f2e0fc214cdf2230d5fbefc9620fd42
NetWire
b4b073df62d2616baff7c0c48cc6a85e5f5211aa6979fb65ac6e9b328687cec1
NetWire
c4b73299f51cc04c30ee6080144f960c8d5de3d62c0e0b10c6c497f57b844474
NetWire
e04977f7d1fbf8b3a69237bbd2170af6c3046a8ce29e2732cd7c72f079f0e0f8
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
fadc99d77a3c3f3483b63596d5ead642ecafb0bb52342c975efdbfd26a87f166
NetWire
+ 455 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210607-8wd9ymlapx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
finerthings.duckdns.org:3021
Unpacked files
SH256 hash:
34e69e90b7cb6121c3f93911f21dfb00491ea5d5bb79bfce4902d04f72c24184
MD5 hash:
b6b086a0ab13f3feb9ee8c846d230e5d
SHA1 hash:
dd8e1b816f3e7d9dcfa6eddc20a27fe0fbed478a
Link:
https://www.unpac.me/results/f9072330-1f08-441c-84dc-58d80d86725f/
SH256 hash:
27fc1cbcf702e483b8eec78bc2605e0d45dda7f0dae2c0adcd6f90b396a1151e
MD5 hash:
4da0b88dce6ebc7197555fbd66d07224
SHA1 hash:
5d410ff26c177bfa4cd74fe472a7043e89091fda
Link:
https://www.unpac.me/results/f9072330-1f08-441c-84dc-58d80d86725f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27fc1cbcf702e483b8eec78bc2605e0d45dda7f0dae2c0adcd6f90b396a1151e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164913/

Comments