MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 283b2bc1a6b060d631bb5dda92f35bc627463f9fb8239ea1007b89d1afb1dede. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 283b2bc1a6b060d631bb5dda92f35bc627463f9fb8239ea1007b89d1afb1dede
SHA3-384 hash: 3d62768243d235161db0208abeaa003212c1900c7a120eb4451b58f1e22cd17881b2c0d18f226eab3d13b4e1b86bff5d
SHA1 hash: 88a87e25151a8f569534e24561a42d4ebec65d9e
MD5 hash: 3efd8858fb3fff7278bf14bf4297fb17
humanhash: happy-washington-ink-eleven
File name:INV78839300.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'699'840 bytes
First seen:2022-05-02 09:04:21 UTC
Last seen:2022-05-02 09:34:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'833 x AgentTesla, 19'770 x Formbook, 12'296 x SnakeKeylogger)
ssdeep 24576:os1iW7N/BFy30RnFh/1PciejVfGqZokcQmrKQY6cCDmg3:wUHyERnxPcie5f3nIo6f
Threatray 1'271 similar samples on MalwareBazaar
TLSH T153758D9C711071DFC857E0F2DA681C64AA607CBA531B4603903739AEAB7D987CF590FA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
400
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
INV78839300.exe
Verdict:
Malicious activity
Analysis date:
2022-05-02 09:04:33 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/0cadb47c-abc1-4531-a984-924d60681f22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/268172/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.13110.31399.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/626f9ec062b1ae4451cb72e9/reports/fe53f717-41c3-4a52-aee2-6aff272e3702/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3eada186-a19b-45d7-9285-576aa23d1d04
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/986402
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 618898 Sample: INV78839300.exe Startdate: 02/05/2022 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 11 other signatures 2->46 8 INV78839300.exe 7 2->8         started        process3 file4 28 C:\Users\user\AppData\Roaming\StZYIx.exe, PE32 8->28 dropped 30 C:\Users\user\...\StZYIx.exe:Zone.Identifier, ASCII 8->30 dropped 32 C:\Users\user\AppData\Local\...\tmpDB3E.tmp, XML 8->32 dropped 34 C:\Users\user\AppData\...\INV78839300.exe.log, ASCII 8->34 dropped 48 Uses schtasks.exe or at.exe to add and modify task schedules 8->48 50 Writes to foreign memory regions 8->50 52 Adds a directory exclusion to Windows Defender 8->52 54 2 other signatures 8->54 12 vbc.exe 2 8->12         started        16 powershell.exe 24 8->16         started        18 backgroundTaskHost.exe 1 14 8->18         started        20 schtasks.exe 1 8->20         started        signatures5 process6 dnsIp7 36 podzeye.duckdns.org 154.53.40.254, 49760, 49763, 49767 COGENT-174US United States 12->36 38 192.168.2.1 unknown unknown 12->38 56 Found evasive API chain (may stop execution after checking mutex) 12->56 58 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->58 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        signatures8 process9 process10 26 conhost.exe 22->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/283b2bc1a6b060d631bb5dda92f35bc627463f9fb8239ea1007b89d1afb1dede/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-02 09:05:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
62
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fa5sxqngwbqnmmn3lxnjf423yytump47xarz5iiapoe5dl5r33pa._file
Verdict:
malicious
Similar samples:
3d30b8f3eafc45075239885078ffb4e28faeeccec7e5b94c9680b159ed4c989f
NetWire
49a53fb698c6608f315ec4176b93a2334e99cbcc3bb37fab5d3062bc390961f4
NetWire
5a6ac40a3c393c4a3feff2030b34b6493215f0e855588f585fdb768529a3deae
NetWire
72f46c69df5dad8bc33c6d7ca8ae68b8a679447f8809ef3bbd63ce16af445530
NetWire
af8fd10b749ea99db1bb4a6a2d7ee79f6b03726b2866a652f8bade94d83440b8
NetWire
ddb292ac2c57e10703a5358532be2d46e4d5ea94361fd30be3c1e2bfb919621f
NetWire
e11fc51517dcb202fbc3c377136230d125b9847f634c67318c2898f8de176231
NetWire
e932695b2e7c04d9e57d7e5e0f3e928898621bcc8657c9d3203b9383c640a325
NetWire
+ 1'261 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220502-k16raacdeq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
a05a84c94d79a05947143f2881e826dd8fd04611e07e9b833afa642a6c4868f0
MD5 hash:
8cbc7eeac12280c85b5c62c96c396bed
SHA1 hash:
507a8b29e1469ed29f91adb43dc7953c01e609f8
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/d678322c-f715-4521-98ca-354aaa7051fb/
Parent samples :
1b4e95e41bfcdfb87d4d21958cd3a794171978418067b0d003d37fc35e2d8b71
283b2bc1a6b060d631bb5dda92f35bc627463f9fb8239ea1007b89d1afb1dede
SH256 hash:
b10f3b267e6b056d6507b78353ae8a4b36f52c7e719427449d243b91f1da1c22
MD5 hash:
ff4e341c5e9829c11afd674bbde2e6ab
SHA1 hash:
11d6424bd6e034939b60d5a51287b60dbc126336
Link:
https://www.unpac.me/results/d678322c-f715-4521-98ca-354aaa7051fb/
SH256 hash:
8e35ae7f6a2c2a18d038024c0e61efc5911fcbca8920cc28064515ef7c5dfc71
MD5 hash:
dea798f04afc819e697bf1c8370c7929
SHA1 hash:
a360ed7bd6789ac85412b6ce8df76376dda4c73b
Link:
https://www.unpac.me/results/d678322c-f715-4521-98ca-354aaa7051fb/
SH256 hash:
338e29a6b4ad47cc207ccec75aa8d144bd638f2f8fb05750883489f7476ba4c7
MD5 hash:
17f8feaff48fce4fc518b83afea16651
SHA1 hash:
70477523115ed9e8e984d5743711d290c2a0f46e
Link:
https://www.unpac.me/results/d678322c-f715-4521-98ca-354aaa7051fb/
SH256 hash:
283b2bc1a6b060d631bb5dda92f35bc627463f9fb8239ea1007b89d1afb1dede
MD5 hash:
3efd8858fb3fff7278bf14bf4297fb17
SHA1 hash:
88a87e25151a8f569534e24561a42d4ebec65d9e
Link:
https://www.unpac.me/results/d678322c-f715-4521-98ca-354aaa7051fb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/283b2bc1a6b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/283b2bc1a6b060d631bb5dda92f35bc627463f9fb8239ea1007b89d1afb1dede

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe 283b2bc1a6b060d631bb5dda92f35bc627463f9fb8239ea1007b89d1afb1dede

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/268172/

Comments