MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3db7b6003f173b4b0faff6725ce88a9db8d636fd431901ed32cccd494ff2a29e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	3db7b6003f173b4b0faff6725ce88a9db8d636fd431901ed32cccd494ff2a29e
SHA3-384 hash:	20e682c8a6ba84c6a60b91ad96d88697908331da20f41253beaeb9465dbf2b61ff428c2d00ebcf52f43ae72ed15b800a
SHA1 hash:	9c3d7834864d91a4c55af108aeaaceba076e4323
MD5 hash:	5b4bc2b8be01558aa55a67d5208605d3
humanhash:	indigo-may-beer-xray
File name:	kit.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	1'528'832 bytes
First seen:	2022-03-23 18:02:45 UTC
Last seen:	2022-03-24 06:17:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9b5dd8ae6c49e5fbd407dc1f346434cc (4 x RaccoonStealer, 2 x RedLineStealer, 2 x Stop)
ssdeep	24576:zg0IY3CyKgM0sfCx7VsJTzAAWKJrPzi1thEYDu1MoaI/WFKxCIXqO3:csKRfCDsprYhEY6qoH/eKFH
Threatray	1'288 similar samples on MalwareBazaar
TLSH	T16D6523A65F11C67AD2FB7AB434009B65526E3CF60DE8C2CE36E513E849367C1D226B0D
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	Anonymous
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

333

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/256745/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.85582.15099.20913.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Query of malicious DNS domain

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10945/overview

Behaviour

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware hlux packed ransomware redline

Link:

https://www.filescan.io/uploads/623b612bdfdfa8501cd412bd/reports/7fb905e7-70a3-4d55-80bc-86a7ac3e8980/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e409a382-9b4d-404e-ac4a-b41e543778a5

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/963028

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3db7b6003f173b4b0faff6725ce88a9db8d636fd431901ed32cccd494ff2a29e/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-03-23 18:04:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hw33mab7c45uwd5p6zzfz2ektw4nmnx5immqd3jsztgust7sukpa._file

Verdict:

malicious

NetWire

2766b8092ec9d6a8cf04b83100613068ea365b7142751245864506e0d67c1bd0

NetWire

2f4d23f1d9f7cc7f090eeb0c6a9c459cdf94db5739cff072f848f9bc9f7358f7

NetWire

3d096aec97d55472b437b12fc17924aec39f7b5a25e6e43867cc90f9afcf6337

NetWire

bd0f4b38b5f2edfdaf836e9d4642488de3fe04f3e855826408cbc31f1bda138a

NetWire

dfca76199851087e1f03cd1d1b26d537071d3bae24a8f52f20df434dbe56f0a4

NetWire

+ 1'278 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220323-wm1tnaedap/

Behaviour

NetWire RAT payload

Netwire

Unpacked files

SH256 hash:

24b1e2165ecff69110bc0e88dfa945efa681345eed25bda6431af0f3970c2772

MD5 hash:

9e3dabfa242cd95a710ee6677a430f5b

SHA1 hash:

f6823b4b021657a9fa5a1681aa8506bc38cbda4d

Link:

https://www.unpac.me/results/1d58ac13-ba50-4771-b583-2b904b2f168b/

SH256 hash:

a5fa87969fe3b2a76f164e3ac6b2ba79f295a70f3225c461d1354b64c3e5b034

MD5 hash:

f2e967512c563ab6fce2385eb0d74467

SHA1 hash:

d32c80407af6d76c3bfdf33bf120a2e5073b24c0

Detections:

win_netwire_g1

Link:

https://www.unpac.me/results/1d58ac13-ba50-4771-b583-2b904b2f168b/

SH256 hash:

3db7b6003f173b4b0faff6725ce88a9db8d636fd431901ed32cccd494ff2a29e

MD5 hash:

5b4bc2b8be01558aa55a67d5208605d3

SHA1 hash:

9c3d7834864d91a4c55af108aeaaceba076e4323

Link:

https://www.unpac.me/results/1d58ac13-ba50-4771-b583-2b904b2f168b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3db7b6003f173b4b0faff6725ce88a9db8d636fd431901ed32cccd494ff2a29e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_NetWire Create hunting rule
Author:	ditekSHen
Description:	Detects NetWire RAT

Rule name:	MAL_unspecified_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects unspecified malware sample
Reference:	Internal Research

Rule name:	MAL_unspecified_Jan18_1_RID2F4A Create hunting rule
Author:	Florian Roth
Description:	Detects unspecified malware sample
Reference:	Internal Research