MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3101eed05f09d6c47096bfea7ffc2367a7f83325618b602b6e808bcfb9bd6989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3101eed05f09d6c47096bfea7ffc2367a7f83325618b602b6e808bcfb9bd6989
SHA3-384 hash: 90ac48ddaae60ca50d5a0a0fd6416402694fd855313bfb306f1a1bfb02fa5e5bbfa9e9ac98d6fb3334059acc85954973
SHA1 hash: 0fccc8eea31a6ee0e17cb5c2f9cfddf8ad16f749
MD5 hash: deb4a84e3451fec595a0e56be5d0a99a
humanhash: florida-lactose-uranus-foxtrot
File name:Quotation.com
Download: download sample
Signature NetWire
Create hunting rule
File size:227'328 bytes
First seen:2021-01-12 18:10:18 UTC
Last seen:2021-01-12 19:49:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9b62b0722ac75232134d66c7d9d312c1 (3 x Formbook, 1 x NetWire, 1 x RemcosRAT)
ssdeep 6144:SjS4mVbOZMGri6Sr18rtpAe+WmgLInNI1Yg:SUcrAr1qtpAeJmuInTg
Threatray 581 similar samples on MalwareBazaar
TLSH 4124F14E96A21036D0A162FA97910B37DC72B968331465D7FB9CAC76833FD91F5A100F
Reporter abuse_ch
Tags:com NetWire


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.cmpilthium.com
Sending IP: 45.85.90.178
From: office@cmpilthium.com
Subject: Re: Pedido de Cotação
Attachment: Quotation.iso (contains "Quotation.com")

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation.com
Verdict:
Malicious activity
Analysis date:
2021-01-12 18:39:00 UTC
Tags:
rat netwire trojan
Link:
https://app.any.run/tasks/b91ce5c4-3f11-4f2a-979d-12b8a1be920f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111595/
Detection(s):
SecuriteInfo.com.Generic.mg.deb4a84e3451fec5.30041.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/579351
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to steal Chrome passwords or cookies
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338722 Sample: Quotation.com Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 8 other signatures 2->49 8 Quotation.exe 4 2->8         started        12 Host.exe 1 2->12         started        14 Host.exe 1 2->14         started        process3 file4 37 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 8->37 dropped 39 C:\...\8e13576e0c6843fba059d33f78796ce4.xml, XML 8->39 dropped 51 Contains functionality to steal Chrome passwords or cookies 8->51 53 Maps a DLL or memory area into another process 8->53 16 Quotation.exe 3 8->16         started        19 cmd.exe 1 8->19         started        21 Host.exe 12->21         started        23 Host.exe 14->23         started        signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 16->35 dropped 25 Host.exe 1 16->25         started        28 conhost.exe 19->28         started        30 schtasks.exe 1 19->30         started        process8 signatures9 55 Antivirus detection for dropped file 25->55 57 Multi AV Scanner detection for dropped file 25->57 59 Machine Learning detection for dropped file 25->59 61 2 other signatures 25->61 32 Host.exe 3 25->32         started        process10 dnsIp11 41 mygodwillsurelydosoemthingnew.duckdns.org 194.5.98.200, 20905, 49721 DANILENKODE Netherlands 32->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3101eed05f09d6c47096bfea7ffc2367a7f83325618b602b6e808bcfb9bd6989/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-01-12 18:11:10 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gea65uc7bhlmi4ewx7vh77bdm6t7qmzfmgfwak3oqcf47on5ngeq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2388b2c1717d5f5741c2730b205a04d627d2cb6a1d4f781fb2f5fae3fa508e76
NetWire
40d8ba1b4ae578829ce958a356395307e27eda0512bc78021ccb93e4b26134f7
NetWire
5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca
NetWire
aae45a77eeaca2d69630e035293e25a47f81d5b7612bace059d1678154485b85
NetWire
c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c
NetWire
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
NetWire
f5041ea07d530c171a670d71769deb2185c8620462b4e26c59a923784f3bd17a
NetWire
f5d88ee96cd5fbdda828c9ec267600fb6308a11318f8290d6d15d34f64070f05
NetWire
fefea87ebfbd43c789033d46905fd2a11b8ea9d4c6b57691f23a89e8f8687992
NetWire
ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d
NetWire
+ 571 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210112-5p62js3pxe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
3101eed05f09d6c47096bfea7ffc2367a7f83325618b602b6e808bcfb9bd6989
MD5 hash:
deb4a84e3451fec595a0e56be5d0a99a
SHA1 hash:
0fccc8eea31a6ee0e17cb5c2f9cfddf8ad16f749
Link:
https://www.unpac.me/results/d40843f9-01f3-461d-a379-78235c165854/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/3101eed05f09d6c47096bfea7ffc2367a7f83325618b602b6e808bcfb9bd6989

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

iso 59998b9c9877daef77755347351548ef7f9fe543138cc289684581bdf045f44f

NetWire

Executable exe 3101eed05f09d6c47096bfea7ffc2367a7f83325618b602b6e808bcfb9bd6989

(this sample)

  
Dropped by
MD5 a168a6a4d3be5d92883f1f57bc39b30b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111595/
  
Dropped by
SHA256 59998b9c9877daef77755347351548ef7f9fe543138cc289684581bdf045f44f

Comments