MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29e2a8176598cb686dad7e472e9a892b9569263f448dbe9ecd5b5c660e447b12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29e2a8176598cb686dad7e472e9a892b9569263f448dbe9ecd5b5c660e447b12
SHA3-384 hash: 3133aadd3a5192b81a90804852c530e53f18d5fec510125eceac0ec6630bd67cbd88a589974fcdb798589f4921bb6367
SHA1 hash: e470814ea5e75024465ad8b71854b452f3a9992e
MD5 hash: a7fe7c6d0f88745cda12568015484074
humanhash: colorado-violet-aspen-mobile
File name:NERT_08.10.2020.scr
Download: download sample
Signature NetWire
Create hunting rule
File size:644'096 bytes
First seen:2020-10-09 11:32:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:7XkzTjpb49S4C2z5Yeb3XLSW7DrEJCaGRqRHGr2by:7XkzTp49SQzOQXjDwJCaGRTi
Threatray 9 similar samples on MalwareBazaar
TLSH 48D4D022B3986F90F57EA77885601110A7F5B917E332E34E3EAD10DE0DA2F819763752
Reporter abuse_ch
Tags:NetWire scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: jupiter.ileysinc.com
Sending IP: 209.133.220.9
From: NEFTRTGS.QUERY <nefthelpdeskncc@rbi.org>
Subject: RTGS FAILED ON 08.10.2020
Attachment: NERT_08.10.2020.rar (contains "NERT_08.10.2020.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69542/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Result
Threat name:
Netwire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/486669
Signature
Antivirus / Scanner detection for submitted sample
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295779 Sample: NERT_08.10.2020.scr Startdate: 09/10/2020 Architecture: WINDOWS Score: 96 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 5 other signatures 2->41 7 NERT_08.10.2020.exe 1 4 2->7         started        process3 file4 33 C:\Users\user\...33ERT_08.10.2020.exe.log, ASCII 7->33 dropped 43 Disables Windows Defender (via service or powershell) 7->43 45 Injects a PE file into a foreign processes 7->45 11 powershell.exe 25 7->11         started        13 powershell.exe 23 7->13         started        15 powershell.exe 24 7->15         started        17 16 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 8 other processes 17->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29e2a8176598cb686dad7e472e9a892b9569263f448dbe9ecd5b5c660e447b12/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 05:12:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhrkqf3ftdfwq3nnpzds5gujfokwsjr7isg35hwnlnogmdsepmja._file
Verdict:
unknown
Similar samples:
10322acb3813bf047663e86eed28be131bcec8c67fb54f6643c5419b05a4cc8e
NetWire
17c38ccce635b7567fb09e4e48c53b5661bdd29e827917a447f0de7741694d71
NetWire
1befcab4a8d97cea8592fa608814f038fd956a5f1f2ddfd9ee8b9402045a705a
NetWire
510512320d54cf1dc953b01181d979bb25e60e0dc2895a38e0d0f303a1cc9253
NetWire
7a2cd283e2f30e88cea6a791a533760e6955b35ffa322e48f2feb6743f705220
NetWire
816581131b3f726da0cfef239111730e74f04e9015df6a519b92a7e0d6e2cd6a
NetWire
9f335bab72c02acf039bc0366145e832630347a1d141dd1ae768637e52a1a7ce
NetWire
c61d5fa6c2a4f421767a7c793da96a0e8e88d482e078ef994f0a50bac73464f0
NetWire
fea260d8c97eb6ae4079fb37951566b9f2ec8f785688a3ff63bc7833b6cebdf0
NetWire
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201009-1gdcrhmbe6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Windows security modification
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
29e2a8176598cb686dad7e472e9a892b9569263f448dbe9ecd5b5c660e447b12
MD5 hash:
a7fe7c6d0f88745cda12568015484074
SHA1 hash:
e470814ea5e75024465ad8b71854b452f3a9992e
Link:
https://www.unpac.me/results/8f0faee1-4b62-4767-9668-935c637a77d0/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/8f0faee1-4b62-4767-9668-935c637a77d0/
SH256 hash:
4f7ce1ca3c41b134db203f664306ac9b46778d0065793053c5b14e5d360f9cfa
MD5 hash:
412bbabcc20e085f729f5baead117160
SHA1 hash:
75ccbe21eb48d767d022131f24538afeb03c32ae
Link:
https://www.unpac.me/results/8f0faee1-4b62-4767-9668-935c637a77d0/
SH256 hash:
b2ba9a07235409a0265d9d2d41add49c444fc2363d45817435ddbbde58fb0992
MD5 hash:
1da0cc2b923128172278c5392b4bd879
SHA1 hash:
975e43ae1043f59cc293892a3d218f85952085db
Link:
https://www.unpac.me/results/8f0faee1-4b62-4767-9668-935c637a77d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Zbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29e2a8176598cb686dad7e472e9a892b9569263f448dbe9ecd5b5c660e447b12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar 709096102a8bcb439289f95a1786c94df7f715aa4f5114cd22357b8ff1222559

NetWire

Executable exe 29e2a8176598cb686dad7e472e9a892b9569263f448dbe9ecd5b5c660e447b12

(this sample)

  
Dropped by
MD5 fe7478b1e64321e069911d200c286cc3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69542/
  
Dropped by
SHA256 709096102a8bcb439289f95a1786c94df7f715aa4f5114cd22357b8ff1222559

Comments