MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 364e721eeab968e3a203fbdd6e156d6884469471356f7ab19450142a0ea4cd67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 364e721eeab968e3a203fbdd6e156d6884469471356f7ab19450142a0ea4cd67
SHA3-384 hash: 812efceb620fc1e00e673fc20d942cefb7a58e119644a38c4bb2a0574a4b22043ce771a639cc5ad82fb819d345c4db70
SHA1 hash: 12f4af65d8596583e3fb0fac8a4834ac36a21ec1
MD5 hash: e73f3bc03a77e0ef3e06f24478620403
humanhash: social-wolfram-queen-wyoming
File name:PO-2110REV MTD Specification sheet & Drawings compressed_pdf.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'680'384 bytes
First seen:2021-03-09 11:01:20 UTC
Last seen:2021-03-09 13:25:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:hBI/z0nYXF0kyMqR2mZ7IF7WUlYxSBA+GqUW72CqrTz4DU:htYX6j/RDMF79HxGLtrv4
Threatray 301 similar samples on MalwareBazaar
TLSH 04755A232300EF6EE63C87785021485C53F7A909FB31EA1ABD8875DE5CB9FC18A67552
Reporter abuse_ch
Tags:exe NetWire nVpn RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: samail.online
Sending IP: 104.168.146.141
From: Sales05 <sales@samail.online>
Subject: PO-2110REV MTD (REVISED)
Attachment: PO-2110REV MTD Specification sheet Drawings compressed_pdf...z (contains "PO-2110REV MTD Specification sheet & Drawings compressed_pdf.exe")

NetWire RAT C2:
netrna.duckdns.org:3303 (194.5.98.221)

Pointing to nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.98.0 - 194.5.98.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-NO
country: NO
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-04-26T16:42:54Z
last-modified: 2020-10-07T21:35:29Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
409
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-2110REV MTD Specification sheet & Drawings compressed_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-03-09 11:13:53 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/48254d60-b9f7-48e7-8fb5-a0504ad3d54d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/123151/
Detection(s):
SecuriteInfo.com.ArtemisE73F3BC03A77.26420.11168.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/632597
Signature
Contains functionality to steal Chrome passwords or cookies
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-09 08:02:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
144
AV detection:
12 of 47 (25.53%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzhhehxkxfuohiqd7pow4flnnccenfdrgvxxvmmukakcudvezvtq._file
Verdict:
unknown
Similar samples:
06b297adafce01483cae411b664c7ff6a80240e0e2562726aeb2db60fedeb3ab
NetWire
17dad12ff05c404eaa01cd849464c0a631051c8ba3056fe171ebfeb9e16915a8
NetWire
2dc2cf646b7c31af83b7e91b3fabcb0c86cefea53aca57ce7e0d52aa943de13c
NetWire
3b7ee4facff2af3e6d06eb2d2ed64707aef6228fd57391a7e9539ae5ef71e31f
NetWire
545d2a220b69923954de8e8040be2c9b5e75ba757545182a077388981d0a6950
NetWire
751b9d20eea57288317d00cfb81935ee3a39e49b5043c69ee4c49e6cac41d9fa
NetWire
78d9ca06a7edacc70dacf6967f4f35c6bdd8f94f30f6c5cfbdbeb250f91907b2
NetWire
907b84898eb50aef8dd7df0e978775565dc18c2569c6c5872763a905440ed5b3
NetWire
98ca95d5888ed57532434861e0db91d5bf9b4b10b56bf5a1fb8b27fd7659fcf8
NetWire
e64b1e190d0586b444ffe00c8000df55893cb86939db1bad73d4b5449586973b
NetWire
+ 291 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210309-266t9bzwee/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
f9d949d2f56c449c5d346bb93ed04d38426f563b022dd179ae330dab46682c3b
MD5 hash:
871e23d748ba756eaab5777708f250f8
SHA1 hash:
c9816d4ab38541aaab9aa3eab7cb4898d0b72e4a
Link:
https://www.unpac.me/results/85617e77-46f2-4a0e-979c-0adf7fcce576/
SH256 hash:
364e721eeab968e3a203fbdd6e156d6884469471356f7ab19450142a0ea4cd67
MD5 hash:
e73f3bc03a77e0ef3e06f24478620403
SHA1 hash:
12f4af65d8596583e3fb0fac8a4834ac36a21ec1
Link:
https://www.unpac.me/results/85617e77-46f2-4a0e-979c-0adf7fcce576/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/364e721eeab968e3a203fbdd6e156d6884469471356f7ab19450142a0ea4cd67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

z 09242b30c8e527e715000097ae625c1aacc5f690025d16d08759dc055f145a1a

NetWire

Executable exe 364e721eeab968e3a203fbdd6e156d6884469471356f7ab19450142a0ea4cd67

(this sample)

  
Dropped by
MD5 39a23eeabcba432bf8173d557a9b1c41
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/123151/
  
Dropped by
SHA256 09242b30c8e527e715000097ae625c1aacc5f690025d16d08759dc055f145a1a

Comments