MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078
SHA3-384 hash: 53bce134eca3aac501e560a2a2f5a2dfeec68f81aaf8662dece0dd3daeff28e8d74c4e8e328badc890dc2d2e35801499
SHA1 hash: 6003223db95be128db6bcfa435658767b1bf3faa
MD5 hash: e68cea2c0c38458cb6828b2642adbdcd
humanhash: single-thirteen-arizona-oxygen
File name:GT42536.scr.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:408'576 bytes
First seen:2021-04-14 07:05:15 UTC
Last seen:2021-04-14 07:56:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 6144:YhIqsdVGRRI0cIYCljXYfy0l3jWaurtBBYSCKbbS0sb2ocg0Uew1e:YhIjcuOlXYfy0lSHBYnKsbogve6
Threatray 411 similar samples on MalwareBazaar
TLSH 6094F1163B9EFECEC1A409B10A7685931E24FD160A46A36BB1B0BB257476363390DD37
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
194.5.98.251:5345

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.251:5345 https://threatfox.abuse.ch/ioc/7958/

Intelligence

File Origin
# of uploads :
2
# of downloads :
439
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GT42536.scr.exe
Verdict:
No threats detected
Analysis date:
2021-04-14 07:10:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/071fb2f3-dcc2-45da-b9b4-3d70b3b41b11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/134044/
Detection(s):
SecuriteInfo.com.Malware.AI.1802833528.4481.17157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Creating a process with a hidden window
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/675024
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Creates multiple autostart registry keys
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 386451 Sample: GT42536.scr.exe Startdate: 14/04/2021 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected NetWire RAT 2->57 59 7 other signatures 2->59 8 GT42536.scr.exe 4 10 2->8         started        12 Aegkyshoststaup.exe 2->12         started        15 Aegkyshoststaup.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 35 C:\Users\user\AppData\Local\vafsd.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\...\MSBuild.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\...\Aegkyshoststaup.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\...behaviorgraphT42536.scr.exe.log, ASCII 8->41 dropped 69 Creates multiple autostart registry keys 8->69 71 Writes to foreign memory regions 8->71 73 Injects a PE file into a foreign processes 8->73 19 wscript.exe 1 8->19         started        21 MSBuild.exe 2 8->21         started        25 wscript.exe 1 8->25         started        49 betterday.duckdns.org 12->49 51 betterday.duckdns.org 15->51 file5 signatures6 process7 dnsIp8 27 Aegkyshoststaup.exe 19->27         started        43 betterday.duckdns.org 21->43 45 192.168.2.1 unknown unknown 21->45 61 Tries to steal Mail credentials (via file access) 21->61 63 Tries to harvest and steal browser information (history, passwords, etc) 21->63 65 Wscript starts Powershell (via cmd or directly) 25->65 67 Adds a directory exclusion to Windows Defender 25->67 31 powershell.exe 26 25->31         started        signatures9 process10 dnsIp11 47 betterday.duckdns.org 194.5.98.251, 4537, 49717, 49725 DANILENKODE Netherlands 27->47 75 Antivirus detection for dropped file 27->75 77 Contains functionality to log keystrokes 27->77 79 Machine Learning detection for dropped file 27->79 81 Creates multiple autostart registry keys 27->81 33 conhost.exe 31->33         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-04-14 07:06:06 UTC
AV detection:
3 of 47 (6.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzgvdsj6lbeqeve3ktr3ejmvut3yvb5j5nderpt26o24y2tieb4a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
07f411bd02cb5654c8903477700a32802c0ed1f445d14144bc306a2af3aa7910
NetWire
23ae26a2920f4b2fefdc074fa7f052da44992bd4ad639711eb38f8e11241a2b5
NetWire
691f3e4b532cb3802630762dadc0eb5f894a6b5463ab5723ef67379ef3f9d31f
NetWire
7915d92e56a86feb90323274532ccfefef357210f840b5dac3999399e7255193
NetWire
9b1b5389e9953290c088469ae38ceb0c58899b90226fbc217012c965e523149c
NetWire
cdb81c63c05c1850a79a3441001e9f007fea5851a06090da724c8fe924204e93
NetWire
cf3b59c22659d7931cf9d0338d57af01d63fbb8363ebc4c86be884194ef62e40
NetWire
d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b
NetWire
efbb94c8acce110b798713daabf4197e4d526a916501772b771faf1346d22fb0
NetWire
f479713c70cbb107873b10f939f4e1ecf4f75b9b6094bb5da0111ed3bf7c3748
NetWire
+ 401 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat spyware stealer
Link:
https://tria.ge/reports/210414-nt6b7vsax6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
5d1c1dbb64777d746232d0bf891a8a0e24d14a49f416b8b7c9d69db104ff989c
MD5 hash:
2ad5de174428cc0860c4fa3e563fd0bf
SHA1 hash:
4fca7e647f5be28ea7205b1aeaa27b8e114becbb
Link:
https://www.unpac.me/results/4e8d791e-7268-40cb-a2a5-9478c7ff4443/
SH256 hash:
749a1d1dd4caa14400d46dc842300818ca537820d9b182ce4afaf0703f94b499
MD5 hash:
d4aa78214f843e4320a867d1fdfdff83
SHA1 hash:
00b22178f2dd255429ab0856a20ce5992c8f09d3
Link:
https://www.unpac.me/results/4e8d791e-7268-40cb-a2a5-9478c7ff4443/
SH256 hash:
91e015696ebc63a5cb5008617c855f587d7b074df884fa3941cee404389742e6
MD5 hash:
5de8c690f2dfbef337bc9f387fb7ff1c
SHA1 hash:
ad010b868b3a509509c32055f72932ebf045aa46
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/4e8d791e-7268-40cb-a2a5-9478c7ff4443/
SH256 hash:
b4e0bc3af6b6359d3f50810053414c3bc8d8efccc6407371ad3983344f327b4c
MD5 hash:
3d448128d2fde7e1e7069bf17176e9fe
SHA1 hash:
77daa09e649f436bad55b091cf700be0dbf95afa
Link:
https://www.unpac.me/results/4e8d791e-7268-40cb-a2a5-9478c7ff4443/
SH256 hash:
8c50fe18ecac432919dc58c5f4ba7c30df3ab6a77201df97d379e35e3c4e769b
MD5 hash:
07034d7716cd3a02aef2236627417885
SHA1 hash:
283a8af3487eb87a0e9b7a15ddedd4308a75bf75
Link:
https://www.unpac.me/results/4e8d791e-7268-40cb-a2a5-9478c7ff4443/
SH256 hash:
592e23e239828ad80140461ed31a1036b114ad5ce0c9495e9584d44cdb334957
MD5 hash:
bd2eaebeca20da343c02d3a9885622a1
SHA1 hash:
00728ee414ae80ba1d7fe27ac7211caba08af855
Link:
https://www.unpac.me/results/4e8d791e-7268-40cb-a2a5-9478c7ff4443/
SH256 hash:
3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078
MD5 hash:
e68cea2c0c38458cb6828b2642adbdcd
SHA1 hash:
6003223db95be128db6bcfa435658767b1bf3faa
Link:
https://www.unpac.me/results/4e8d791e-7268-40cb-a2a5-9478c7ff4443/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/134044/

Comments