MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153
SHA3-384 hash: 7d831e6693338885d160b87b1e7d7e457f117c00f28389eafe04c78e9c3099771fe8f06585c1406a5b844149f9ec8f98
SHA1 hash: 776a02c79a42da5ec021aa1cbd7ac19367d6cb07
MD5 hash: 3fbd38a88a5302483a14d8fa2510faf9
humanhash: rugby-social-march-moon
File name:3fbd38a88a5302483a14d8fa2510faf9
Download: download sample
Signature NetWire
Create hunting rule
File size:1'162'876 bytes
First seen:2022-09-26 08:50:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:UAOcZXcxP6qNenHO4jTZpFY1q8LPHYOoW6Viduv:CH9CHO4HZXYIwQOolIduv
Threatray 1'723 similar samples on MalwareBazaar
TLSH T16B351282B7D18472D1B31E345A35E724693C3C205F69962FB3E44CADEA756822235FB3
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8271cc9696cc7182 (10 x Formbook, 1 x NetWire)
Reporter zbetcheckin
Tags:32 exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
220926-j7vf6aaad8_pw_infected.zip
Verdict:
Malicious activity
Analysis date:
2022-09-26 19:17:57 UTC
Tags:
loader
Link:
https://app.any.run/tasks/3e2706c7-4ee8-40bb-81c7-c95c880e6b1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313525/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Adding an access-denied ACE
Creating a file in the %AppData% subdirectories
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39192/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook greyware nanocore overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6331681a3c00655b268fbfa4/reports/031acb0c-725a-4aa4-b657-e7ef749777c0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2669f0ad-21c5-4e9a-9586-c5a00ea74840
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1077214
Signature
Drops PE files with a suspicious file extension
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 709760 Sample: mP959oRnYA.exe Startdate: 26/09/2022 Architecture: WINDOWS Score: 68 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected AntiVM autoit script 2->63 12 mP959oRnYA.exe 92 2->12         started        16 xckjkc.pif 2->16         started        18 xckjkc.pif 1 2->18         started        20 xckjkc.pif 2->20         started        process3 file4 57 C:\Users\user\AppData\Local\...\xckjkc.pif, PE32 12->57 dropped 67 Drops PE files with a suspicious file extension 12->67 22 xckjkc.pif 4 3 12->22         started        25 wscript.exe 16->25         started        27 wscript.exe 18->27         started        29 wscript.exe 20->29         started        signatures5 process6 signatures7 65 Multi AV Scanner detection for dropped file 22->65 31 wscript.exe 1 22->31         started        33 xckjkc.pif 25->33         started        36 xckjkc.pif 27->36         started        38 xckjkc.pif 29->38         started        process8 file9 40 xckjkc.pif 31->40         started        55 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 33->55 dropped 42 wscript.exe 36->42         started        process10 process11 44 wscript.exe 1 40->44         started        46 xckjkc.pif 42->46         started        process12 48 xckjkc.pif 44->48         started        dnsIp13 59 192.168.2.1 unknown unknown 48->59 51 wscript.exe 48->51         started        process14 process15 53 xckjkc.pif 51->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2022-09-26 06:36:16 UTC
File Type:
PE (Exe)
Extracted files:
106
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=huimkmbs5jdpwmpixeq4bfdgx5fjgnd7lae4dana2qnmrzbdufjq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105
NetWire
13c9bc1d2ac60ca5abb5a235d7d27d8c6f06e497da360f391785044d413cc29e
NetWire
508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0
NetWire
69230008ebd4db702b501b5d35d6c5551ae5d1cc779d0bbcf4526f606f332650
NetWire
aa005608adb8e7e3c775383f20f2608164056713bcbb92d0ec5c99994d8af750
NetWire
adfe2c7e157726a346f6682a7d7ccf6fbe6aa884fafe24522f9616c4f8db19e6
NetWire
b3a3645cf2d804bebd0d8049b70c95ae545ff06ca2acc9f85721a1d1f3c9b5b8
NetWire
c8a3afbe993a8c462856e72256e1ec0a251777a5d5bc6cac978e4349f8cb9ac2
NetWire
dce0fd32e1a722b27a3d60dc55016edbbfe763d3ec5aa10de6a6455e062b1432
NetWire
+ 1'713 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/220926-krml2sabe9/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
37.0.14.206:3384
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7f350bcf-7709-4872-aa41-9ae2741c9664
Unpacked files
SH256 hash:
3a45970d31434577b7d6e7aa46182f7be1af6c6edc389432c9fa57cac96e0b43
MD5 hash:
2e9d19131ebd810be110a98af3ade3b7
SHA1 hash:
77917fc92c2b1e846bf02791c264f0e06dbc7b6d
Detections:
Netwire
Create hunting rule
win_netwire_auto
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/21f039af-d2a9-44c9-84c0-dcb05acc7c99/
SH256 hash:
9c002b7988e35842e7e52ae86445dd9efe072943f922bd58189e97763aa85fb3
MD5 hash:
cb43b031ae363146468e716d83ef9946
SHA1 hash:
ffc89418295faccda9a866449367f441dac66168
Link:
https://www.unpac.me/results/21f039af-d2a9-44c9-84c0-dcb05acc7c99/
SH256 hash:
3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153
MD5 hash:
3fbd38a88a5302483a14d8fa2510faf9
SHA1 hash:
776a02c79a42da5ec021aa1cbd7ac19367d6cb07
Link:
https://www.unpac.me/results/21f039af-d2a9-44c9-84c0-dcb05acc7c99/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d10c53032ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2313985/
Cape
Cape
https://www.capesandbox.com/analysis/313525/

Comments