MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cb34cca32bb4aea5625d0760bd6c51f71695c7bb2c11e465c24a31efbfba6cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cb34cca32bb4aea5625d0760bd6c51f71695c7bb2c11e465c24a31efbfba6cf
SHA3-384 hash: a7c40fb1c08fa893f8b3d18bbf1cbcec8a679f65dacedaeba9b118e5b9bde92fe847919942fd5a8b31ef2c067808fb25
SHA1 hash: 5e885913d272cb5912bd2bbb1f84be93ac09bf52
MD5 hash: 95b26096376f1a1624581f3203a05f4d
humanhash: cardinal-spring-berlin-paris
File name:9cdb3ec1accd17e884e8ed76d8789b2b
Download: download sample
Signature NetWire
Create hunting rule
File size:470'016 bytes
First seen:2020-11-17 11:57:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0922943cd5e72743dc95ef474069cfd (8 x AgentTesla, 8 x NanoCore, 5 x NetWire)
ssdeep 12288:trZQw9z/6mXQVn7KOGDB+7w2tkoMB30LoF7:trT9mjVn7KhD0pGB34
Threatray 323 similar samples on MalwareBazaar
TLSH 14A423F1D8A184E0E63A8570F4379EFB2A5BC1480E0C78295CA1D745BD7A3E38BE9157
Reporter seifreed
Tags:NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.19347.9881.4048.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cb34cca32bb4aea5625d0760bd6c51f71695c7bb2c11e465c24a31efbfba6cf/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 12:00:55 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hszuzsrsxnfouvrf2b3axvwfd5ywsxd3wlar4rs4esrr5673u3hq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1254f2a5cf88750e22a29c78e1e316cd034d3763302bfafaea0ceac3fec49e1e
NetWire
2388b2c1717d5f5741c2730b205a04d627d2cb6a1d4f781fb2f5fae3fa508e76
NetWire
3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
NetWire
84b059bbd79f2a5484b3cc1f9bbd05786ce6bfb7e55d1bdbbe4659237b55899f
NetWire
940ca9e10bfa12f912ed6d60e827f89726fd036eadafa77eff33a7168b59839a
NetWire
a170710f4db4414908be1c82fc27c902e9d0680fc2bfa76c6c52037febfeeb77
NetWire
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715
NetWire
de7a446a8d4bd4c53ba8ac5b909252692e79b27cd9e7abb6396e62e22274b3b4
NetWire
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
NetWire
ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d
NetWire
+ 313 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer upx
Link:
https://tria.ge/reports/201117-r2dac44wsx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
cf9b5e889a331411137d01a7fcbbf7a17814fe9af39c14050424c09f68031706
MD5 hash:
6023c57d932e2df808133e1aa66bc5ce
SHA1 hash:
f0b8baeb2a71de3d8622abaa3ab4f54f65f0a831
Link:
https://www.unpac.me/results/a9702f32-8dee-46cd-a3e6-8ec4895896e8/
SH256 hash:
3cb34cca32bb4aea5625d0760bd6c51f71695c7bb2c11e465c24a31efbfba6cf
MD5 hash:
95b26096376f1a1624581f3203a05f4d
SHA1 hash:
5e885913d272cb5912bd2bbb1f84be93ac09bf52
Link:
https://www.unpac.me/results/a9702f32-8dee-46cd-a3e6-8ec4895896e8/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments