MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b4569753be7e894aff4079e30581195d611e123a77ddb5115e05d15f16ed887. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	2b4569753be7e894aff4079e30581195d611e123a77ddb5115e05d15f16ed887
SHA3-384 hash:	1e66e71eaf8d4e1aa6950c34a9f08782c802504b888e031378b6cb1194b39147c19fd3d9e446f1e67862a3ebce8623d6
SHA1 hash:	11b88927bb06b9b661e9cd11c7d08116f64cbf12
MD5 hash:	10270751935c774658b5a8e956aa9ca1
humanhash:	spring-cup-golf-louisiana
File name:	10270751935c774658b5a8e956aa9ca1
Download:	download sample
Signature	NetWire Create hunting rule
File size:	615'424 bytes
First seen:	2020-11-17 11:47:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:Eln2AsrWD8AI+f6cII7NJBSGhq0+Q2Fa:E9Vsre8u6w/Sg5B2Q
TLSH	87D40152F383D661D95432704CE7A83D02A27F8ADE33D50F399EB36E2F722525452E1A
Reporter	seifreed
Tags:	NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching a process

Creating a file

Creating a file in the %AppData% subdirectories

DNS request

Connection attempt

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2b4569753be7e894aff4079e30581195d611e123a77ddb5115e05d15f16ed887/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2020-11-11 04:10:53 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fncws5j347ujjl7ua6pdawarsxlbdyjdu565wuiv4borl4lo3cdq._file

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet persistence rat stealer

Link:

https://tria.ge/reports/201117-8gqw9gz8pj/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

NetWire RAT payload

Netwire

Unpacked files

SH256 hash:

2b4569753be7e894aff4079e30581195d611e123a77ddb5115e05d15f16ed887

MD5 hash:

10270751935c774658b5a8e956aa9ca1

SHA1 hash:

11b88927bb06b9b661e9cd11c7d08116f64cbf12

Link:

https://www.unpac.me/results/a3e44ee0-ff1b-4184-ad34-c945d08bb9b7/

SH256 hash:

d5a17d945a3abdf991b7d868dd25b179323e70cd3fd9dece6f7cbece600d978d

MD5 hash:

dfbdf20f72ce43fc9400355c0846025d

SHA1 hash:

9e5ff464bbb543671edfc51a7a80fe80f840ecf3

Link:

https://www.unpac.me/results/a3e44ee0-ff1b-4184-ad34-c945d08bb9b7/

SH256 hash:

d3e40357b1473585926415ac82f9242096672848b39fa66b522b3ed3c8f62bd2

MD5 hash:

95ecd2737775648c4afa919c43939f47

SHA1 hash:

599789a5c6fedbd61fe759a1318773f9e0901a1a

Link:

https://www.unpac.me/results/a3e44ee0-ff1b-4184-ad34-c945d08bb9b7/

SH256 hash:

83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1

MD5 hash:

3c5dbcc3bb27e913e14efd8054811373

SHA1 hash:

b0eba9388abddaef9d5aa49ccd5dbab2924cced0

Link:

https://www.unpac.me/results/a3e44ee0-ff1b-4184-ad34-c945d08bb9b7/

SH256 hash:

35e1a18b70184f73d428b8a5e74868d64414991952cb4d602a025a64afdef59e

MD5 hash:

60a3a71ca505a406bcfbd9ab68588a44

SHA1 hash:

d8ce5dd4634276a7320e92ccf68392ff925d1d07

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/a3e44ee0-ff1b-4184-ad34-c945d08bb9b7/

Parent samples :

1c646687e4988d451dedfe0d30dc1b6d42bc757dd69f3c638e972169d0278d2a
c35d8629ac725a6fd6bc953e5f86e4fa1b8a3680b367b52b33880ddeaa7492d4
f95d6d1493ac922503b6a6a5532cd20bb87f35f07af72b7748915409c7e5b99f
e7f8e0a363a5042ec6e8365095076dd56636ade1cd6cdd4df9ea47a953ea8c22
2b4569753be7e894aff4079e30581195d611e123a77ddb5115e05d15f16ed887
7511c244b32ec5bc59ff7173ee5aa83a764ea6607522b79cc99c5537907e50e7

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample