MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c1cef7d208ce8f0094415d06cc61fa37dd9c9308cfcd9fde0f7a32703220e90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c1cef7d208ce8f0094415d06cc61fa37dd9c9308cfcd9fde0f7a32703220e90
SHA3-384 hash: acab2f321a26df933067ec89c55ecade673abe87e20abc1875200919ff49c9e1a000b6c5b270ebce5e0b60a352400737
SHA1 hash: 2fff1f353cb6946d6f226050e710d4bc0cf4d16e
MD5 hash: 023ae9c9494ea1d4c24dcbfe7892c611
humanhash: black-north-arkansas-connecticut
File name:vmclang.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:6'110'721 bytes
First seen:2020-12-24 13:28:53 UTC
Last seen:2020-12-24 15:37:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 92cb04c3552894fa155e1ff5e8d36a40 (1 x NetWire)
ssdeep 98304:iMEYG4Eyadcj/AtKjQ/iKFjlG9WaRvNOK:iMEqdy0ciKFjC0
Threatray 376 similar samples on MalwareBazaar
TLSH 70567E61B244D53ED4AB0F3A447BA665983EBB713A13CC5B67F0084C4F77A81263E297
Reporter o2genum
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
797
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vmclang.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-24 13:30:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f65d6d4-b19d-4a46-bdfa-5b9607aafa27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109341/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

PUA.Win.Adware.Dealply-6619242-0
Create hunting rule

PUA.Win.Malware.Gamemodding-6726308-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a UDP request
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% directory
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Moving a file to the %AppData% subdirectory
Creating a file
Connection attempt
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
2
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/569730
Signature
Allocates memory in foreign processes
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Hijacks the control flow in another process
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 333924 Sample: vmclang.exe Startdate: 24/12/2020 Architecture: WINDOWS Score: 100 23 reroutetraffic.io 2->23 25 ipv4.imgur.map.fastly.net 2->25 27 i.imgur.com 2->27 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected NetWire RAT 2->43 45 Machine Learning detection for sample 2->45 47 Sigma detected: Suspicious Svchost Process 2->47 8 vmclang.exe 2->8         started        signatures3 process4 signatures5 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->49 51 Hijacks the control flow in another process 8->51 53 Writes to foreign memory regions 8->53 55 Allocates memory in foreign processes 8->55 11 extrac32.exe 8->11         started        process6 signatures7 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->57 59 Hijacks the control flow in another process 11->59 61 Writes to foreign memory regions 11->61 63 Maps a DLL or memory area into another process 11->63 14 notepad.exe 1 11->14         started        19 svchost.exe 1 11->19         started        process8 dnsIp9 29 reroutetraffic.io 190.2.130.70, 4545, 49748, 49752 WORLDSTREAMNL Curacao 14->29 31 192.168.2.1 unknown unknown 14->31 21 C:\Users\user\AppData\Roaming\...\vmclang.exe, PE32 14->21 dropped 33 System process connects to network (likely due to code injection or exploit) 14->33 35 Contains functionality to log keystrokes 14->35 37 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->37 39 2 other signatures 14->39 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c1cef7d208ce8f0094415d06cc61fa37dd9c9308cfcd9fde0f7a32703220e90/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2020-12-24 13:29:05 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqoo67jartupackecxigzrq7un65tsjqrt6nt7pa66rsoazcb2ia._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1254f2a5cf88750e22a29c78e1e316cd034d3763302bfafaea0ceac3fec49e1e
NetWire
3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
NetWire
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
NetWire
b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa
NetWire
c2382986d2bacaacd5399abca6ba33ee39fec2e9f331b8493a7511bc23578adc
NetWire
d98e919482d344212e9e79e1154ee7015bba50d90107fe122a59cae38484eb84
NetWire
e5b32b4bb73f9bf50a9e4e3236ea3bf54577675b46d98deb142d668e7ea1653a
NetWire
f52c73e9a148074ad2d20b27874e0c183a461f0e21ed09874ef706e464757e2e
NetWire
f6262c14a5f6c845a95cab29a6e1e2a662d5df47499935c1f050d908ee01db90
NetWire
ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d
NetWire
+ 366 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/201224-bgkg9ybmys/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
2c1cef7d208ce8f0094415d06cc61fa37dd9c9308cfcd9fde0f7a32703220e90
MD5 hash:
023ae9c9494ea1d4c24dcbfe7892c611
SHA1 hash:
2fff1f353cb6946d6f226050e710d4bc0cf4d16e
Link:
https://www.unpac.me/results/35abaa86-c322-4c98-af64-e4b9b6d4d574/
SH256 hash:
c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c
MD5 hash:
abf6c724b20844d5b0073988a58faf1e
SHA1 hash:
7a8269d5b2ae623f8148ce9863f48f7e12ce036b
Link:
https://www.unpac.me/results/35abaa86-c322-4c98-af64-e4b9b6d4d574/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c1cef7d208ce8f0094415d06cc61fa37dd9c9308cfcd9fde0f7a32703220e90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/109341/

Comments


Avatar
Andrey Moiseev commented on 2020-12-24 13:39:03 UTC

https://app.any.run/tasks/6f7e7211-c659-46d1-bf9f-d4360dc8f598