MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3647bace25f94430a534aba8aba08a731571ab2ab22f95ac209096e2c32ef81c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 16

Intelligence 16 IOCs YARA 9 File information Comments

SHA256 hash:	3647bace25f94430a534aba8aba08a731571ab2ab22f95ac209096e2c32ef81c
SHA3-384 hash:	0c72f7058dbde4c370a598d0bd0acaf031b8533f015c2cec91de2585f969e1df269f1869fd93cda1c50ad6ecd61760f5
SHA1 hash:	0fdbd386a4cd8ac2edbd32a32a2fd5e8263bc38c
MD5 hash:	58d02ed4bc010363facf162ac2976905
humanhash:	pasta-hydrogen-failed-sodium
File name:	3647BACE25F94430A534ABA8ABA08A731571AB2AB22F9.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	135'168 bytes
First seen:	2023-04-08 14:00:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4e6ba17721530f6e9a509b1380c99995 (5 x NetWire)
ssdeep	1536:dtTSUSKzF0Lh9a7WraTWFbmDHVXWRVAzZ8MfUSl7Q3rw75ggZG:dt5SKzF0Lh9a7IGW9GHeOFVvc3rKZG
Threatray	32 similar samples on MalwareBazaar
TLSH	T14AD3A419E66BD0F9FD472C7480DFF26F46386D00C534CF62DF953E02DA27921A129AA9
TrID	36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.4% (.EXE) Win64 Executable (generic) (10523/12/4) 7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
184.105.237.196:1120

Intelligence

File Origin

# of uploads :

# of downloads :

346

Origin country :

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

3647BACE25F94430A534ABA8ABA08A731571AB2AB22F9.exe

Verdict:

Malicious activity

Analysis date:

2023-04-08 14:02:44 UTC

Tags:

netwire

Link:

https://app.any.run/tasks/6ee38284-462e-4557-b042-744483712a8d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/380902/

Detection(s):

Win.Malware.Ulise-9940505-0

Win.Malware.Razy-6703914-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypto greyware keylogger netwire shell32.dll windows wirenet zusy

Link:

https://www.filescan.io/uploads/6431739fc9a9e6a6d8285dd7/reports/2e7d9680-f7a5-4522-9f30-c054ae64ef2b/overview

Verdict:

Malicious

Labled as:

Variadic.A.187.Generic

Link:

https://www.hybrid-analysis.com/sample/3647bace25f94430a534aba8aba08a731571ab2ab22f95ac209096e2c32ef81c

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/62af3c03-dbf2-4758-b1d7-024b48846ef9

Result

Threat name:

Netwire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1210585

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Netwire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

netwire

Link:

https://mwdb.cert.pl/sample/3647bace25f94430a534aba8aba08a731571ab2ab22f95ac209096e2c32ef81c/

Threat name:

Win32.Trojan.NetWired

Status:

Malicious

First seen:

2023-04-08 00:21:00 UTC

File Type:

PE (Exe)

AV detection:

23 of 23 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gzd3vtrf7fcdbjjuvoukxiekomkxdkzkwixzllbasclofqzo7aoa._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

459a609ffde4325a1e55f7b9a788ab5cf978d3e07c54349b9f9e50f1e6875c89

NetWire

784f22f31bacf9e57c6162d31282e75fde015c4a74f6b126a9255c4a38be8a38

NetWire

880a3f89941849fc46d6921a4ef7326e4b2b074a505e916cac0eb1cd0f15c45f

NetWire

950ae15b57b91b105ef929108c5394280115a5b06827ce8c017f83c4486fd58c

NetWire

99041f48a8dbb8e5e375bd93e34a74be793e875f7c7d349bfd70f0a27b18bf7d

NetWire

aaec7d28795c24dce237cc3ae412681507d0454474d49f7b077ca3013789e3bc

NetWire

b0f6052c071380b0413ba33ab5f888442bba649614a7102ade644d7195487bed

NetWire

f22bf2bd431d6e2b93c8485c99537383fe4b775c70ca5633ffaf702fde170b7f

NetWire

+ 22 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/230408-rbjnsade83/

Behaviour

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

majika.gotdns.ch:1120
nik.pointto.us:1120
nikouh.pointto.us:1120

Unpacked files

SH256 hash:

3647bace25f94430a534aba8aba08a731571ab2ab22f95ac209096e2c32ef81c

MD5 hash:

58d02ed4bc010363facf162ac2976905

SHA1 hash:

0fdbd386a4cd8ac2edbd32a32a2fd5e8263bc38c

Detections:

win_netwire_auto

win_netwire_g1

Link:

https://www.unpac.me/results/c0e0470a-fc69-4046-9286-24bc10dae3ad/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/3647bace25f94430a534aba8aba08a731571ab2ab22f95ac209096e2c32ef81c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Malicious_BAT_Strings Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	malware_netwire_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect netwire in memory
Reference:	internal research

Rule name:	MAL_unspecified_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects unspecified malware sample
Reference:	Internal Research

Rule name:	MAL_unspecified_Jan18_1_RID2F4A Create hunting rule
Author:	Florian Roth
Description:	Detects unspecified malware sample
Reference:	Internal Research

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	netwire Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Suspicious_BAT_Strings Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	Windows_Trojan_Netwire_f42cb379 Create hunting rule
Author:	Elastic Security

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/380902/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample