MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
SHA3-384 hash: e00ca1dba9db0a1d9384fba5456224f87e9f34b3b15cfe7d390e9e035621eedf794e7dc85244fba313e28a2bab4e1e3b
SHA1 hash: b3933463d09e776f5c210b07d61dcb8c87c6f32e
MD5 hash: f4e5664ffb8921e5d25fd3b77c5bd9d4
humanhash: speaker-william-avocado-spaghetti
File name:REQUEST FOR QUOTATION.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:86'016 bytes
First seen:2021-02-17 07:01:27 UTC
Last seen:2021-02-17 08:28:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 03a76dbf088ca28eb40ac7bd9eb02664 (1 x NetWire)
ssdeep 768:o9qOgtWmKPSeVnQR94uKgAjQc8iXA+hb6+cJ+WLyBMDP0bi8vz:QqOgEmKPvVng9xFAjr8yjheX+2fDP0F
Threatray 367 similar samples on MalwareBazaar
TLSH 4683B5886640FC33C05E4BF583275E3814876A3B46C85873A14F222FA7718F597ACB9B
Reporter abuse_ch
Tags:exe NetWire nVpn RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: sl20.grupo-open.net
Sending IP: 147.135.136.63
From: Ascendum Építőgépek Hungária Kereskedelmi Kft. <reka.lucs@ascendum.hu>
Subject: REQUEST FOR QUOTATION
Attachment: REQUEST FOR QUOTATION.zip (contains "REQUEST FOR QUOTATION.exe")

NetWire RAT C2:
newtechublil.ddns.net:7003 (79.134.225.76)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
291
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117503/
Detection(s):
SecuriteInfo.com.Variant.Razy.844285.23813.32028.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Creating a file
Setting a single autorun event
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/609881
Signature
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Potential malicious icon found
Sigma detected: NetWire
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 353964 Sample: REQUEST FOR QUOTATION.exe Startdate: 17/02/2021 Architecture: WINDOWS Score: 96 55 Potential malicious icon found 2->55 57 Yara detected GuLoader 2->57 59 Sigma detected: NetWire 2->59 61 5 other signatures 2->61 7 REQUEST FOR QUOTATION.exe 1 1 2->7         started        10 wscript.exe 2->10         started        12 wscript.exe 2->12         started        process3 signatures4 63 Creates autostart registry keys with suspicious values (likely registry only malware) 7->63 65 Tries to detect Any.run 7->65 67 Hides threads from debuggers 7->67 14 REQUEST FOR QUOTATION.exe 2 9 7->14         started        19 Fonologiernes.exe 1 10->19         started        21 Fonologiernes.exe 1 12->21         started        process5 dnsIp6 45 newtechublil.ddns.net 79.134.225.76, 49745, 7003 FINK-TELECOM-SERVICESCH Switzerland 14->45 47 zjf07a.bn.files.1drv.com 14->47 49 2 other IPs or domains 14->49 29 C:\Users\user\AppData\...\Fonologiernes.exe, PE32 14->29 dropped 31 C:\Users\user\AppData\...\Fonologiernes.vbs, ASCII 14->31 dropped 51 Tries to detect Any.run 14->51 53 Hides threads from debuggers 14->53 23 Fonologiernes.exe 7 19->23         started        27 Fonologiernes.exe 7 21->27         started        file7 signatures8 process9 dnsIp10 33 zjf07a.bn.files.1drv.com 23->33 35 onedrive.live.com 23->35 37 bn-files.fe.1drv.com 23->37 69 Tries to detect Any.run 23->69 71 Hides threads from debuggers 23->71 39 zjf07a.bn.files.1drv.com 27->39 41 onedrive.live.com 27->41 43 bn-files.fe.1drv.com 27->43 signatures11
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-02-17 07:02:08 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hs7qv2x6y2eaeokizll365dve4f2tsy2zmahrty2tvrir4tvdiqa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
09715a97873a089c9dc80219175d50508628f4f794639c2e725bad85d68804c2
NetWire
22b13820a6139c7682d5e1108aefde2200dc593e14fe7fca28eb27d5e616bef7
NetWire
5528ee96b8cefda8ec99999701a1673fb0dff17a8e603f2c8ccd3abac08f7489
NetWire
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
NetWire
7765b39aa0345fd2af3838a548807c90094ea98d227d625ed742260833643b52
NetWire
c120fd3e62a0ecd299625f3fbf622fb8a56b534828b6788fe766f1bc36ac7a68
NetWire
c3ca97abe1f0584928691bf13d02b25a4e20288a2477e466d67000c0bbe04df3
NetWire
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
NetWire
deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0
NetWire
f09416ef7aaab2c43c62ef77bb69c005ec4a57d4051586f5e7d8571e74fee41c
NetWire
+ 357 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence stealer
Link:
https://tria.ge/reports/210217-1kp43xw7e6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Netwire
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/ed9055e7-3a5e-41a2-b35e-307af58f5b0c/
SH256 hash:
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
MD5 hash:
f4e5664ffb8921e5d25fd3b77c5bd9d4
SHA1 hash:
b3933463d09e776f5c210b07d61dcb8c87c6f32e
Link:
https://www.unpac.me/results/ed9055e7-3a5e-41a2-b35e-307af58f5b0c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip eda26c9e574a2c84ea544a0ab6762e6b2612e3978488bacf544bf08f2583473b

NetWire

Executable exe 3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20

(this sample)

  
Dropped by
MD5 63329146d833c4ba4370beb3e42567aa
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117503/
  
Dropped by
SHA256 eda26c9e574a2c84ea544a0ab6762e6b2612e3978488bacf544bf08f2583473b

Comments