MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e06342f76a75e6213996869e7e121db995c3e689ead258a25cefb6f0bf45767. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e06342f76a75e6213996869e7e121db995c3e689ead258a25cefb6f0bf45767
SHA3-384 hash: 72115c09c95577a1f98027b4e0720d2cd94a8bf773a4f9f2790a7b632265490bf4a92bd502a443605c80a57d9a6238a4
SHA1 hash: e64e56f776171cac42631bbba85ed3f6481e50be
MD5 hash: d37072a6a484249e18a8fea5b1bf654a
humanhash: thirteen-lemon-avocado-pizza
File name:Evergreen Purchase Order PO018251.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:368'511 bytes
First seen:2022-01-13 07:27:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:xwfRsAX4MmPk2+INe3Ubd+s1Dj2KZfdLBe586tN2/Y4Zpq:wRsATmPNnNdhDDj2KZfdL56e/ZZ0
Threatray 9'249 similar samples on MalwareBazaar
TLSH T1247401D336804A9AC815487629B78E355B77BF041E8674037788FF6F2E772D6B8070A6
File icon (PE):PE icon
dhash icon 74f48888868e88b4 (12 x SnakeKeylogger, 7 x Formbook, 5 x RemcosRAT)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
136.144.41.252:6945

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
136.144.41.252:6945 https://threatfox.abuse.ch/ioc/294609/

Intelligence

File Origin
# of uploads :
1
# of downloads :
514
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Evergreen Purchase Order PO018251.exe
Verdict:
Malicious activity
Analysis date:
2022-01-13 07:32:38 UTC
Tags:
installer loader
Link:
https://app.any.run/tasks/88fff03c-1b4f-4203-a92c-c97546cab9f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/218946/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61dfd44cf2e8ec86fef6ee8d/reports/ad5826de-e269-429c-9660-344d26b6fa45/overview
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a3d3841-f9e9-4aef-bef9-19508abe843a
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/919869
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found stalling execution ending in API Sleep call
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Uses dynamic DNS services
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 552346 Sample: Evergreen Purchase Order PO... Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 6 other signatures 2->57 8 Evergreen Purchase Order PO018251.exe 19 2->8         started        12 eygii.exe 17 2->12         started        14 eygii.exe 17 2->14         started        process3 file4 35 C:\Users\user\AppData\...\bqjlnpgzfa.dll, PE32 8->35 dropped 59 Injects a PE file into a foreign processes 8->59 16 Evergreen Purchase Order PO018251.exe 15 7 8->16         started        37 C:\Users\user\AppData\...\splnprppupi.dll, PE32 12->37 dropped 61 Contains functionality to log keystrokes 12->61 63 Found evasive API chain (may stop execution after checking mutex) 12->63 65 Machine Learning detection for dropped file 12->65 67 Found stalling execution ending in API Sleep call 12->67 20 eygii.exe 12->20         started        39 C:\Users\user\AppData\...\splnprppupi.dll, PE32 14->39 dropped 22 eygii.exe 14->22         started        signatures5 process6 dnsIp7 45 decembergrace345.ddns.net 136.144.41.252, 49756, 49758, 49759 WORLDSTREAMNL Netherlands 16->45 31 C:\Users\user\AppData\Roaming\sdyugjk.exe, PE32 16->31 dropped 33 Evergreen Purchase...er PO018251.exe.log, ASCII 16->33 dropped 24 sdyugjk.exe 1 21 16->24         started        file8 process9 file10 41 C:\Users\user\AppData\Roaming\...\eygii.exe, PE32 24->41 dropped 43 C:\Users\user\AppData\...\splnprppupi.dll, PE32 24->43 dropped 69 Contains functionality to log keystrokes 24->69 71 Found evasive API chain (may stop execution after checking mutex) 24->71 73 Machine Learning detection for dropped file 24->73 75 2 other signatures 24->75 28 sdyugjk.exe 2 24->28         started        signatures11 process12 dnsIp13 47 decembergrace345.ddns.net 28->47 49 192.168.2.1 unknown unknown 28->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e06342f76a75e6213996869e7e121db995c3e689ead258a25cefb6f0bf45767/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 07:28:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 43 (37.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fyddil3wu5pgee4znbu6pyjb3omvyptit2wslcrfz35w6c7uk5tq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0538554b73f98f395950af81f30e4fc99407e991babdce510bb61f9f9b56f23e
NetWire
1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216
NetWire
2cda176ce221ab580e6d9bbebc4333fa2156c33c9d4e3666c38eba656e13ef6b
NetWire
3afedea501a9bca64d1d400f5e3aa79e1f0d359a035d84569c123d49458425f2
NetWire
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
NetWire
482a6a0bf95d313de664dec7523d7487995d5f26e1a30b8bc62c0a5e1431fbd7
NetWire
487d208584345524ea7f594cf6ed7e39afadb99d542aefbd13693087669ba5af
NetWire
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa
NetWire
faf52d09b9f2a833c0fa7093cb9dd25d820aa06de68747ff2499f653a982dab1
NetWire
+ 9'239 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/220113-h95jgagebm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
decembergrace345.ddns.net:6945
Unpacked files
SH256 hash:
5f8a594f30e143222b2fddc8eaecdd1bb7f7972bc7e8c7d3b45dca575cacac14
MD5 hash:
37a2e3aacdc08ef7dae6af8991b9a8be
SHA1 hash:
f6406a1f914a73cf1e417f35efca8002e308a2c0
Link:
https://www.unpac.me/results/94e997a7-569d-46c4-8c80-7f9d9871d037/
SH256 hash:
c5a730596ce396fdc9dffe7b438c2b618bd4fe4ce1e9023b7ba6b0589221efcd
MD5 hash:
43997a45b3937a5dcd81f9793968afdb
SHA1 hash:
eba5aa9e22770b028e0d035c16ecc444caa72d28
Link:
https://www.unpac.me/results/94e997a7-569d-46c4-8c80-7f9d9871d037/
SH256 hash:
abdff40ef5a4ff04697ca99fca75ccd1d06e7a1da6f86d7d11a540f15c10f0cf
MD5 hash:
037390124227db13963d7774ce527946
SHA1 hash:
61f34dbe45d2b6c1a3d3da6c371af456d9f1c864
Link:
https://www.unpac.me/results/94e997a7-569d-46c4-8c80-7f9d9871d037/
SH256 hash:
ad89cf9b3d9a1d99fab389394ff8b6279f223138f94de194e79118695e79334e
MD5 hash:
c889a3dd0f3ffca2085698d27d0fa223
SHA1 hash:
346ac91e035d7bb27e9655baf6cd22fa2947f647
Link:
https://www.unpac.me/results/94e997a7-569d-46c4-8c80-7f9d9871d037/
SH256 hash:
2e06342f76a75e6213996869e7e121db995c3e689ead258a25cefb6f0bf45767
MD5 hash:
d37072a6a484249e18a8fea5b1bf654a
SHA1 hash:
e64e56f776171cac42631bbba85ed3f6481e50be
Link:
https://www.unpac.me/results/94e997a7-569d-46c4-8c80-7f9d9871d037/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e06342f76a75e6213996869e7e121db995c3e689ead258a25cefb6f0bf45767

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.
Rule name:win_netwire_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/218946/

Comments