MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 315cf8478e78f24ee69c77188e870dc5630a1b8e943b1e488207670e965cbe29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 315cf8478e78f24ee69c77188e870dc5630a1b8e943b1e488207670e965cbe29
SHA3-384 hash: ee8cded4a14faaef045ae385630303fd9ca85ba69ff461d8e46660cbc81d5dff957b83da32d785c3cf58f052ff3b0aeb
SHA1 hash: af1a257e9310153d4dd26c7f973bc47c69aa5909
MD5 hash: 40b831769a90dd01f5dc027c4bc83039
humanhash: neptune-steak-angel-pluto
File name:SecuriteInfo.com.W32.AIDetect.malware1.21458.4281
Download: download sample
Signature NetWire
Create hunting rule
File size:397'158 bytes
First seen:2021-03-08 13:44:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:QBlL/5MGfqjxMTMGvS/6+y/ty8A2f49v6J5zcC+:i7s+TM2S/6O8m9vuCC+
TLSH C684E60472C2E059FAC136F2246B7AF597AE7C07350C94A672B8795939384C3AF0BE5D
Reporter SecuriteInfoCom
Tags:NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
richiesta d'ordine-0363-08-03.zip
Verdict:
Malicious activity
Analysis date:
2021-03-08 09:57:55 UTC
Tags:
loader trojan netwire
Link:
https://app.any.run/tasks/377f11e3-40bd-4d83-8218-610c11825d99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122779/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.21458.4281.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a window
Connection attempt
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/631222
Signature
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-03-08 10:10:20 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
26 of 47 (55.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfopqr4opdze5zu4o4mi5bynyvrqug4osq5r4seca5tq5fs4xyuq._file
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210308-vvyhbtsdaa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
9d54411066cfcab1acf58e5a9244fc8c55c68ce1a22fe42ea0e8ca8584e5e93b
MD5 hash:
7eea01c0089c5c57417ce939024f3598
SHA1 hash:
afd5378ae1369be1c37213f4618e286776874889
Link:
https://www.unpac.me/results/c62d8641-c010-4eb2-a5fa-20ae1f7724a0/
SH256 hash:
a250179226f6af80470d143251828be1dc3c83a833c3d677e5e4998a23d7a52c
MD5 hash:
d4d9ddae82d1226274c53898b79e4c6c
SHA1 hash:
aff545319b0952b655385cf85d5b29e00bebafaf
Link:
https://www.unpac.me/results/c62d8641-c010-4eb2-a5fa-20ae1f7724a0/
SH256 hash:
3a8a34bd5a2fa6482ab4a914f0b3f2ffcd257c7755bd328bd32184f9679907f1
MD5 hash:
cdf225e257e4d9c0080ffb0f6df391e9
SHA1 hash:
2ceaabcec977fb172a230eb0de364b80dbbc5c8e
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/c62d8641-c010-4eb2-a5fa-20ae1f7724a0/
Parent samples :
76947dcfe886fe0e3273c7723140533999741f239a2ad7568a460cae74bb0e50
315cf8478e78f24ee69c77188e870dc5630a1b8e943b1e488207670e965cbe29
SH256 hash:
7a41c1e918cdf0a0c946e4a44663bf5e7baf161f089e67246df3e5dd00e29250
MD5 hash:
00e4d992dabcdda7ffd271f1bd337a8d
SHA1 hash:
7733cd8aba134bac0b2acc85ad4d4b3f12000845
Link:
https://www.unpac.me/results/c62d8641-c010-4eb2-a5fa-20ae1f7724a0/
SH256 hash:
315cf8478e78f24ee69c77188e870dc5630a1b8e943b1e488207670e965cbe29
MD5 hash:
40b831769a90dd01f5dc027c4bc83039
SHA1 hash:
af1a257e9310153d4dd26c7f973bc47c69aa5909
Link:
https://www.unpac.me/results/c62d8641-c010-4eb2-a5fa-20ae1f7724a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/315cf8478e78f24ee69c77188e870dc5630a1b8e943b1e488207670e965cbe29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 315cf8478e78f24ee69c77188e870dc5630a1b8e943b1e488207670e965cbe29

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1054216/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/122779/

Comments