MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 328908f054c4a82ebcb35127b0e9c7924dcdb6c134b76f01b269a2dd23967b18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 328908f054c4a82ebcb35127b0e9c7924dcdb6c134b76f01b269a2dd23967b18
SHA3-384 hash: 44663bbd1b29a7fc0fc68c36dbcb8ec73d0b58fee419c7df807c4744ef6425ca6de288b16c70407787eea2b95b9a9c31
SHA1 hash: 05e01b76a514ca73bacd6b93a71c8bbdc0585578
MD5 hash: dde416475ac0ac6e5af6caa5f3eda9b1
humanhash: golf-lake-bravo-king
File name:DHL_Mar 2021 at 1.30_8BZ290_PDF.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:241'050 bytes
First seen:2021-03-03 06:23:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:N8LxBmOyhzr/piX6AQzaA278eGQb5uXUwVIqyGu:dbrRwlQzaA2Ie8XHS
TLSH 963412157BD282FAEAC323716F36A73DF27FC6085946888B4F956D6E6E409074B042D3
Reporter abuse_ch
Tags:DHL exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mail.golem.es
Sending IP: 82.194.91.23
From: DHL EXPRESS <noreply@dhl.com>
Subject: Re: DHL Notification / DHL_AWB_001179703/ETD
Attachment: DHL_Mar 2021 at 1.30_8BZ290_PDF.img (contains "DHL_Mar 2021 at 1.30_8BZ290_PDF.exe")

NetWire RAT C2:
mkv45.ddns.net:7210

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_Mar 2021 at 1.30_8BZ290_PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-03-03 06:27:07 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/067a9c77-29a8-4e0e-8ea4-8b0ae4d85f81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/121196/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a window
DNS request
Connection attempt
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/625500
Signature
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: NetWire
Uses dynamic DNS services
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/328908f054c4a82ebcb35127b0e9c7924dcdb6c134b76f01b269a2dd23967b18/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-03-03 06:24:14 UTC
AV detection:
17 of 47 (36.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gkeqr4cuysuc5pftket3b2ohsjg43nwbgs3w6ansngrn2i4wpmma._file
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210303-argvb1nsva/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
ef77383db4a0c6a607e9a7e7277f6b88d3707fcc6f20236ebe1566c172c4bbe7
MD5 hash:
ccd59bd49cbf34dd93dfbd7f2585caae
SHA1 hash:
6d6f7ca2a45a964a852c0aa2b7e5fff14bee27c5
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/d093c7f3-1487-4aac-8808-74684c52a6f6/
Parent samples :
328908f054c4a82ebcb35127b0e9c7924dcdb6c134b76f01b269a2dd23967b18
98a046d5edb9540592c6b45a2efa070864637109894d8d831e804ba09bbbcbb4
SH256 hash:
606f786ed5a4675f52257426c89aeaec57090ee6be07422b63f3f47e60b71856
MD5 hash:
bbda58017985cf3b6ceffbec1ad72774
SHA1 hash:
5bb52fcde666af4bcd0d87510667fd700fd45a0f
Link:
https://www.unpac.me/results/d093c7f3-1487-4aac-8808-74684c52a6f6/
SH256 hash:
e74491a94d0b2eaef241a3be7d67d2c8381bc1a802e29fc8843f6e8d429da13c
MD5 hash:
56b66bb47256144710c06be75b7e475a
SHA1 hash:
102aa16897ab275374f4662ec17c690f94d78fd6
Link:
https://www.unpac.me/results/d093c7f3-1487-4aac-8808-74684c52a6f6/
SH256 hash:
328908f054c4a82ebcb35127b0e9c7924dcdb6c134b76f01b269a2dd23967b18
MD5 hash:
dde416475ac0ac6e5af6caa5f3eda9b1
SHA1 hash:
05e01b76a514ca73bacd6b93a71c8bbdc0585578
Link:
https://www.unpac.me/results/d093c7f3-1487-4aac-8808-74684c52a6f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/328908f054c4a82ebcb35127b0e9c7924dcdb6c134b76f01b269a2dd23967b18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

img a69f60881645ba6864339a84a15f3893fe2c35e77500e5cdfe52d91f49ec0440

NetWire

Executable exe 328908f054c4a82ebcb35127b0e9c7924dcdb6c134b76f01b269a2dd23967b18

(this sample)

  
Dropped by
MD5 5a8a4c85dd0cdd9d57d6a2125cfdbda4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/121196/
  
Dropped by
SHA256 a69f60881645ba6864339a84a15f3893fe2c35e77500e5cdfe52d91f49ec0440

Comments