MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b2ea32978b65edcc7308a2860e788b7631ecdde10e72b689268f3fdffdaeb4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b2ea32978b65edcc7308a2860e788b7631ecdde10e72b689268f3fdffdaeb4f
SHA3-384 hash: abbfab109ad872ec96d300157d46596231d1a1a0a688abcbd4e47d3a9ddfa3013ab9ee8edf0a5d741121684531499f24
SHA1 hash: ad895d79067fd69b7c16cdfe259a68d0a5025bb3
MD5 hash: 73739fdb0582947d75e409af1ffd2fce
humanhash: stairway-victor-ten-lake
File name:open payment copy.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:556'032 bytes
First seen:2020-10-22 06:55:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:VWqGyTFU66TD/+HG6jBCwmHNV4h9spLyLARG5xSEj53+xLfDcNxaQ2JcDhgNoy5w:VWqGySN+H/duVPV+ARUQk+D0p2JGSNo
Threatray 58 similar samples on MalwareBazaar
TLSH 6FC46D6562059F70E47B65B14007D0B20212FED32AA1FA5B2EE1BD6BF9B24C60DC5BC7
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: cp.cloudinc.co.za
Sending IP: 41.66.169.18
From: Shelton Mandipira <info@brandathenaa.co.za>
Subject: Payment
Attachment: Payment Copies.iso (contains "open payment copy.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74497/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Enabling autorun
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506697
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Writes to foreign memory regions
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302523 Sample: open payment copy.exe Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 8 other signatures 2->48 7 open payment copy.exe 7 2->7         started        process3 file4 34 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 7->36 dropped 38 C:\Users\user\...\open payment copy.exe.log, ASCII 7->38 dropped 52 Writes to foreign memory regions 7->52 54 Allocates memory in foreign processes 7->54 56 Injects a PE file into a foreign processes 7->56 11 cmd.exe 1 7->11         started        13 svhost.exe 2 7->13         started        16 cmd.exe 3 7->16         started        19 cmd.exe 1 7->19         started        signatures5 process6 dnsIp7 21 reg.exe 1 1 11->21         started        24 conhost.exe 11->24         started        40 185.244.30.163, 3365, 3367, 4082 DAVID_CRAIGGG Netherlands 13->40 30 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 16->30 dropped 26 conhost.exe 16->26         started        32 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 19->32 dropped 28 conhost.exe 19->28         started        file8 process9 signatures10 50 Creates an undocumented autostart registry key 21->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b2ea32978b65edcc7308a2860e788b7631ecdde10e72b689268f3fdffdaeb4f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 01:08:47 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hmxkgklywzpnzrzqriugbz4iw5rr5to6cdtsw2esndz737625nhq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
033ce6f96b137b9d18e2033b847c6718bee3beb197bc2ca2627cb7344f99b989
NetWire
32dab97f7d2978729426abf6fbb0f2a1fd360b7ff26be8e0fe6180c548f511d2
NetWire
49b7d5b70de07198665b902a0bb7404b3d9578895a9c90fa1d8f7b4a670278a3
NetWire
6901142f041abcfc97b29e0c77e99fb531e1ee2ea4e5287b0ec1105f8a58a68c
NetWire
7ae768f74862bcde7fb7c5be5168af751a0dd90f2d10ba006cfe285a38fa6e1f
NetWire
bff1aa06f51d8dc639c6f686da27c81e2ca716b24a133786e0975ca663c826ab
NetWire
d5e61bdd7736038993c3762a6a2192b2730a44562bde045fa95ba9e45525bc3c
NetWire
e4c669ea3b39e4ee4f181dfc4772f7256d32b410dd69b9a76a1419cb2560edae
NetWire
e7fd55e17337f49ebe33c1fdacd6d126c0b478b2e0885785bdc1231a6c92f9f4
NetWire
eb75b9c785ae2cc7a35d565d2f921d7fea067ef5b8b93798a6abbababf7f06fa
NetWire
+ 48 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire
Link:
https://tria.ge/reports/201022-fxgq9nlwpj/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
3b2ea32978b65edcc7308a2860e788b7631ecdde10e72b689268f3fdffdaeb4f
MD5 hash:
73739fdb0582947d75e409af1ffd2fce
SHA1 hash:
ad895d79067fd69b7c16cdfe259a68d0a5025bb3
Link:
https://www.unpac.me/results/ee5adc24-6dd5-45a2-8ffe-993e7b28db46/
SH256 hash:
6c37d236e7b6b42047fe2c0c82e7b75eff48ef85515c070a3b95346dd1fcdcae
MD5 hash:
0b7cf8d4fd63daed0f5fd8d5696e6955
SHA1 hash:
bd8a88c29b70c1e3e141a15ccd8de469ce909bea
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/ee5adc24-6dd5-45a2-8ffe-993e7b28db46/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

iso cb3425b4d65c759f023ca22c8d3448944ab290bd5dd4bd2751c4b9b80633147f

NetWire

Executable exe 3b2ea32978b65edcc7308a2860e788b7631ecdde10e72b689268f3fdffdaeb4f

(this sample)

  
Dropped by
MD5 5e528ae5a6de86a6bc9bdbd53c92c08b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74497/
  
Dropped by
SHA256 cb3425b4d65c759f023ca22c8d3448944ab290bd5dd4bd2751c4b9b80633147f

Comments