MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e5fa5d3014a67a660612edaddf0e5abf60d7b0f8b82336b17ab6464c4567d03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e5fa5d3014a67a660612edaddf0e5abf60d7b0f8b82336b17ab6464c4567d03
SHA3-384 hash: 3b1e300f47d609b9109dc05f852b45f0f657a383975b1a913d594c3b13e6b64c048e6d676598b4c2f627bf8e0eb50647
SHA1 hash: 0afb96d6c724e26f635f6b9e494e43a8159255be
MD5 hash: d7e428d65ccdfae4250a05f8c07dd391
humanhash: mississippi-music-thirteen-friend
File name:SKBMT_ 5870Z904_ Image.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:385'536 bytes
First seen:2021-02-23 07:26:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:/xE3WpQMV/0tfoXvXAa5EQJJfFSa8BLkCvDOiiAhKGaxCvX5poSZoWeaATxU3RUh:ZFQMG6fwkDBSFBFO3/x+pZoxt1C
Threatray 359 similar samples on MalwareBazaar
TLSH AB84127CC521C861FFB94ABE982E1A8A2216EF6635C46384ECC90717C773B782816DC5
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: servidor2.mediosenred.tv
Sending IP: 5.145.175.121
From: Philipp Baminger <philippe.li@midea.com>
Subject: RV: AW: Payment confirmation
Attachment: SKBMT_ 5870Z904_ Image.img (contains "SKBMT_ 5870Z904_ Image.exe")

NetWire RAT C2:
mmakopl.duckdns.org:5569

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118520/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a recently created process
Creating a file
DNS request
Creating a window
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/614942
Signature
Binary contains a suspicious time stamp
Bypasses PowerShell execution policy
Contains functionality to steal Chrome passwords or cookies
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Sigma detected: NetWire
Uses dynamic DNS services
Yara detected Beds Obfuscator
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2e5fa5d3014a67a660612edaddf0e5abf60d7b0f8b82336b17ab6464c4567d03/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 07:27:17 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fzp2luybjjt2mydbf3nn34hfvp3a26yprobdg2yxvnsgjrcwpubq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
249e738650027df7635aa70373e2e2f936eb58e1a208fdc8df9ee2f66e4cb9e3
NetWire
2928d0d53b459f6b822fd781360a743b3548f31c31c012ba8a25b42235aff154
NetWire
482a6a0bf95d313de664dec7523d7487995d5f26e1a30b8bc62c0a5e1431fbd7
NetWire
5105c1a352e0f0e2a54b08132d9d1e383f6505a7aa42b8aea411c85551c37175
NetWire
7511c244b32ec5bc59ff7173ee5aa83a764ea6607522b79cc99c5537907e50e7
NetWire
92c0d7be74bd55ea431d9f144b0938834c74764e87c39e8bcd640e05458c4adf
NetWire
cf3b59c22659d7931cf9d0338d57af01d63fbb8363ebc4c86be884194ef62e40
NetWire
dc4475e7d864b18f90b1a3b812d6f1e98d46fbb24771405c1b15c9c1cba8a10f
NetWire
eff2bda9797c042cbae44c8aed29b31b853733c0676a687dc62676752197c05d
NetWire
f4af46ad96a86cad60d613a3387a0a68c580247ef88943e2ea0e5b9679a38c2e
NetWire
+ 349 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210223-xlnfcb7gl6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Beds Protector Packer
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/631e53c4-161f-4060-a111-de0f6f5ac79b/
SH256 hash:
05093e904d89f8a1d79c6178fa1e2416f4408b61953778cb909188461747ce81
MD5 hash:
909c4d2e64da9078e5905562e8d5ea84
SHA1 hash:
e70d17292a9421243859cdae178cbf207273a068
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/631e53c4-161f-4060-a111-de0f6f5ac79b/
Parent samples :
6ba5c67ab5a2f0905d5140b65b193d1062bcba3abb6e9755efe2a862f753cc95
2e5fa5d3014a67a660612edaddf0e5abf60d7b0f8b82336b17ab6464c4567d03
SH256 hash:
a46190ade0860bfc9fc2bec4dacc638b8e2f2d3e36c92d316e5b74da1afb2d39
MD5 hash:
ce6aada97becd22ab32664bcbe324366
SHA1 hash:
3d3fc544aaaad0998f4830666fdca5fe0101ac1c
Link:
https://www.unpac.me/results/631e53c4-161f-4060-a111-de0f6f5ac79b/
SH256 hash:
2e5fa5d3014a67a660612edaddf0e5abf60d7b0f8b82336b17ab6464c4567d03
MD5 hash:
d7e428d65ccdfae4250a05f8c07dd391
SHA1 hash:
0afb96d6c724e26f635f6b9e494e43a8159255be
Link:
https://www.unpac.me/results/631e53c4-161f-4060-a111-de0f6f5ac79b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e5fa5d3014a67a660612edaddf0e5abf60d7b0f8b82336b17ab6464c4567d03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

img da39b46eceeb9f0837da42119c575533611a37b32419aeb4c8a0eeadd880f6c2

NetWire

Executable exe 2e5fa5d3014a67a660612edaddf0e5abf60d7b0f8b82336b17ab6464c4567d03

(this sample)

  
Dropped by
MD5 c1274bd3d34d2f6e5198d93f9d8781e5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118520/
  
Dropped by
SHA256 da39b46eceeb9f0837da42119c575533611a37b32419aeb4c8a0eeadd880f6c2

Comments