MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a6a8344c456313ab52c214caf2c86beae755e1f4c822699647b243e3d0bced5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a6a8344c456313ab52c214caf2c86beae755e1f4c822699647b243e3d0bced5
SHA3-384 hash: ca5ce826812a602edbbbc715d4c56751ff6203b9f87fc6778742135f005fe027c554b78b7876c5758ebb36d21560057c
SHA1 hash: 1a0c64541eb2e9cb20d5d6e9ad55ff67f7c625c8
MD5 hash: c0456dd63553c74b835ed7fc06c39344
humanhash: autumn-freddie-venus-cola
File name:c0456dd63553c74b835ed7fc06c39344
Download: download sample
Signature NetWire
Create hunting rule
File size:1'213'352 bytes
First seen:2022-11-25 01:54:13 UTC
Last seen:2022-11-25 05:29:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 865328ec6e8c931f31b423bc1dffe934 (2 x LgoogLoader, 1 x NetWire, 1 x RemcosRAT)
ssdeep 24576:lgYjOjOE72fjkzv2kLpA9C43v3aNKByFvBJbpCJ2uWriFhuM1x1L4gir:l/OFafjIv2ki/oKwBa2unTu0T4x
TLSH T10245E0209DFBD643CE428AB3AC602B71D339EE6E9B1722834E65FA050F535B0523765D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 52b2f07071717062 (1 x NetWire)
Reporter zbetcheckin
Tags:32 exe NetWire signed

Code Signing Certificate

Organisation:lightweight.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-23T01:34:00Z
Valid to:2023-01-21T01:33:59Z
Serial number: 03bd4d35d83158d19f0c08eb37233d489710
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 014198fdcfecfa8acd78a00764514734c4dc688dff1411e0398ca91b9e325924
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
623
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c0456dd63553c74b835ed7fc06c39344
Verdict:
Malicious activity
Analysis date:
2022-11-25 01:56:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef99effd-01ed-4552-bdc9-7f616d10f780

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338243/
Detection(s):
SecuriteInfo.com.FileRepMalware.27977.22145.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
DNS request
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63802078090ea3f049348805/reports/8eb75e0d-b6f1-46f1-8022-bb33a7a51bbf/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a957465-df8e-48cc-bbbf-7a3763a95f05
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120812
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: NetWire
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753529 Sample: rI7ZEuyP9n.exe Startdate: 25/11/2022 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 6 other signatures 2->66 7 rI7ZEuyP9n.exe 10 2->7         started        12 doreledo kecoya bil.exe 12 2->12         started        process3 dnsIp4 44 wsw6gm5yi869a0qdogqfrq4b.1nkotoawc6ndey9nwbaolgcleio 7->44 38 C:\Users\user\...\doreledo kecoya bil.exe, PE32 7->38 dropped 40 doreledo kecoya bil.exe:Zone.Identifier, ASCII 7->40 dropped 68 Found stalling execution ending in API Sleep call 7->68 70 Self deletion via cmd or bat file 7->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 7->72 14 doreledo kecoya bil.exe 13 7->14         started        18 cmd.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        46 wsw6gm5yi869a0qdogqfrq4b.1nkotoawc6ndey9nwbaolgcleio 12->46 48 www.sssupersports.com 12->48 74 Writes to foreign memory regions 12->74 76 Allocates memory in foreign processes 12->76 78 Injects a PE file into a foreign processes 12->78 22 ngentask.exe 12->22         started        24 ngentask.exe 12->24         started        file5 signatures6 process7 dnsIp8 54 wsw6gm5yi869a0qdogqfrq4b.1nkotoawc6ndey9nwbaolgcleio 14->54 56 www.sssupersports.com 104.21.44.248, 443, 49704, 49707 CLOUDFLARENETUS United States 14->56 80 Writes to foreign memory regions 14->80 82 Allocates memory in foreign processes 14->82 84 Injects a PE file into a foreign processes 14->84 26 ngentask.exe 2 2 14->26         started        86 Uses ping.exe to check the status of other devices and networks 18->86 30 PING.EXE 1 18->30         started        32 conhost.exe 18->32         started        34 chcp.com 1 18->34         started        36 conhost.exe 20->36         started        58 alice2019.myftp.biz 22->58 signatures9 process10 dnsIp11 50 alice2019.myftp.biz 198.12.91.245, 3366, 49705, 49706 AS-COLOCROSSINGUS United States 26->50 42 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 26->42 dropped 52 127.0.0.1 unknown unknown 30->52 file12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a6a8344c456313ab52c214caf2c86beae755e1f4c822699647b243e3d0bced5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-24 23:31:33 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjvigrgekyytvnjmefgk6legx2xhkxq7jsbcnglepmsd4pilz3kq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221125-cb476adc73/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Loads dropped DLL
Executes dropped EXE
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/715fc242-678c-4e06-b230-1c3f2410b2ca
Unpacked files
SH256 hash:
bdc9d099d0fa530a68b2d65fd56a447ca5b3e1dd49d6939225e3d0493a9f2f22
MD5 hash:
6aed8d6034f513876ad640e4a2760dcf
SHA1 hash:
5c88fef9b3c8b53ccdccae3592546852d111b5d2
Link:
https://www.unpac.me/results/03a11acb-956e-4b23-8aa3-1d0e7929bbea/
SH256 hash:
3a6a8344c456313ab52c214caf2c86beae755e1f4c822699647b243e3d0bced5
MD5 hash:
c0456dd63553c74b835ed7fc06c39344
SHA1 hash:
1a0c64541eb2e9cb20d5d6e9ad55ff67f7c625c8
Link:
https://www.unpac.me/results/03a11acb-956e-4b23-8aa3-1d0e7929bbea/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3a6a8344c456/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a6a8344c456313ab52c214caf2c86beae755e1f4c822699647b243e3d0bced5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 3a6a8344c456313ab52c214caf2c86beae755e1f4c822699647b243e3d0bced5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2432241/
Cape
Cape
https://www.capesandbox.com/analysis/338243/

Comments


Avatar
zbet commented on 2022-11-25 01:54:20 UTC

url : hxxp://77.73.133.113/lego/badsanta.exe