MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e657c935cb9314281e5989f4a6bda06aef10786d13f87d21f0cbf4fea163711. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e657c935cb9314281e5989f4a6bda06aef10786d13f87d21f0cbf4fea163711
SHA3-384 hash: 71659c648bcaa34b9bec06fe90441aeee43cf78c695f0f9df16502ac1d15faabac84e4ba89943966bc0f17aa907def36
SHA1 hash: 866fc8a3d0c316f51a1be30406919c00c0cb1f5b
MD5 hash: 9c5ee45e7577c7afdedee203111a7a22
humanhash: carpet-north-ink-echo
File name:Zaobz-rdbmw-xdw-f.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:743'936 bytes
First seen:2021-08-02 07:07:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b6db14426e42febe892f713365633556 (1 x NetWire)
ssdeep 12288:8JMC4F7zDatjAtb16lIhIxqUtbYy8GkAQKxDOddpRU:8BeG2KUIDu7
Threatray 539 similar samples on MalwareBazaar
TLSH T18DF46CE69EF070BAFC354C3D48472B2D2DD8AD7E5524ECC319E0F58A03BCA6234955A6
dhash icon 1130767864760841 (6 x RemcosRAT, 2 x Formbook, 1 x NetWire)
Reporter lowmal3
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'076
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Zaobz-rdbmw-xdw-f.exe
Verdict:
Malicious activity
Analysis date:
2021-08-02 07:09:38 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/027c9b9e-3ee4-4a7d-8ef9-7f0ac60c9136

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175712/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a12f3f7-771a-4f54-91a6-e2250608f706
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825335
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457754 Sample: Zaobz-rdbmw-xdw-f.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 3 other signatures 2->56 8 Zaobz-rdbmw-xdw-f.exe 1 24 2->8         started        13 Pqrktgm.exe 13 2->13         started        15 Pqrktgm.exe 13 2->15         started        process3 dnsIp4 48 pinkbroadband.in 103.225.125.27, 443, 49713, 49714 RAINBOWISP-ASRainbowcommunicationsIndiaPvtLtdIN India 8->48 42 C:\Users\Public\Libraries\...\Pqrktgm.exe, PE32 8->42 dropped 58 Detected unpacking (changes PE section rights) 8->58 60 Detected unpacking (overwrites its own PE header) 8->60 62 Contains functionality to log keystrokes 8->62 68 2 other signatures 8->68 17 Zaobz-rdbmw-xdw-f.exe 2 8->17         started        20 cmd.exe 1 8->20         started        22 cmd.exe 1 8->22         started        24 BackgroundTransferHost.exe 13 8->24         started        64 Multi AV Scanner detection for dropped file 13->64 66 Injects a PE file into a foreign processes 13->66 26 Pqrktgm.exe 13->26         started        28 Pqrktgm.exe 15->28         started        file5 signatures6 process7 dnsIp8 44 213.152.162.181, 5133 GLOBALLAYERNL Netherlands 17->44 46 184.75.221.171, 49723, 5133 AMANAHA-NEWCA Canada 17->46 30 reg.exe 1 20->30         started        32 conhost.exe 20->32         started        34 cmd.exe 1 22->34         started        36 conhost.exe 22->36         started        process9 process10 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e657c935cb9314281e5989f4a6bda06aef10786d13f87d21f0cbf4fea163711/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 07:08:06 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
014ce137a80a13da45f5ffbe6cc6926f153972356a9f2aca75113e0b6d525d16
NetWire
418cf2d183b0ad4239752ae06861e629bf3e8f5ffec607c3eb4fae2ce130a5ff
NetWire
82dc13144b5d22e2e75fc7dc783439e2c1e93dbe630411d3fa62b77b27645e12
NetWire
82e96593173c1407d138cca5418a00b0f5cd9960b32d8f03052eca9b33e68b44
NetWire
8fb001ff8eff89d8c472579c21683a55aff13ff9599bef6a3e5571b2c919691b
NetWire
bb988ff7e440eb871321f3d5ee94c7d241d4929e57b0e687e3ee61466b6880f6
NetWire
e805423ef1971ad60f2cf93dd0845f3bc13fb5bce5dc3b3b3e39f56c4f9142e7
NetWire
efe7085d016f39d6e180df2cf41e774b28e64b3e1847b5e69386ef068bea5f20
NetWire
f3ad47ca842225f405e277f5f2b0521266fe65a90bf746ac39a67990835ddf14
NetWire
fadc99d77a3c3f3483b63596d5ead642ecafb0bb52342c975efdbfd26a87f166
NetWire
+ 529 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210802-9jxjp8aqy6/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
213.152.162.181:5133
184.75.221.171:5133
199.249.230.27:5133
185.103.96.143:5133
185.104.184.43:5133
Unpacked files
SH256 hash:
8be5025dd23a3192655138b8523694c49bcbac20888aae1d0a50f86bdf624c08
MD5 hash:
ef4251de5a9fa4369f0012ae81bf4039
SHA1 hash:
b9552367a8dc7a063ab2088166f549d6a3d0184d
Link:
https://www.unpac.me/results/e1dd6486-d294-466a-a38d-ad35efc38fb6/
SH256 hash:
3e657c935cb9314281e5989f4a6bda06aef10786d13f87d21f0cbf4fea163711
MD5 hash:
9c5ee45e7577c7afdedee203111a7a22
SHA1 hash:
866fc8a3d0c316f51a1be30406919c00c0cb1f5b
Link:
https://www.unpac.me/results/e1dd6486-d294-466a-a38d-ad35efc38fb6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/3e657c935cb9314281e5989f4a6bda06aef10786d13f87d21f0cbf4fea163711

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/175712/

Comments