MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f032c4e18eced05282ae0a19f738dfef527c2281ce7bebaa28ca028941903f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f032c4e18eced05282ae0a19f738dfef527c2281ce7bebaa28ca028941903f4
SHA3-384 hash: 5ad9f3f5748e19cad15b3b3b76f30909d9694978818f865e81586c2f3eb68e8130c7dbc6c31a7fed703564869daedd8e
SHA1 hash: 9d6d12ead04e8a7fd75e300d26701a6d9725cccc
MD5 hash: efbc39d4e89b9cf1402acacbc11f7816
humanhash: fanta-tennis-sink-tennis
File name:Document.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'133'568 bytes
First seen:2021-09-21 18:25:45 UTC
Last seen:2021-09-21 18:59:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bc8cc1eea5c25ce2056d7da92bd98134 (9 x RemcosRAT, 3 x NetWire, 1 x AveMariaRAT)
ssdeep 12288:lIspEfnP8N/seflQTshT8aqeTW39KqmeoAdrL7SUbDz5Zp:320N/seflZhTmiW3A+rPzz5Z
Threatray 572 similar samples on MalwareBazaar
TLSH T1CE356CE3B799C8F0EC24393EDC4E7384271AAFF52C134C88AD747B498965651B46A48F
File icon (PE):PE icon
dhash icon 8ccc0c37e3969a68 (8 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
193.187.91.95:6655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.187.91.95:6655 https://threatfox.abuse.ch/ioc/224512/

Intelligence

File Origin
# of uploads :
2
# of downloads :
718
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 18:28:24 UTC
Tags:
installer trojan rat netwire
Link:
https://app.any.run/tasks/242b1afd-7ed1-43e7-b8f5-79e79442dc5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189952/
Detection(s):
SecuriteInfo.com.UDS.Backdoor.Win32.NetWiredRC.gen.5282.9934.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.ArtemisB8815A518089.2641.23959.UNOFFICIAL
Create hunting rule

Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4d1a1de-3786-4965-8c04-af1eb5aa41a9
Result
Threat name:
DBatLoader NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855126
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f032c4e18eced05282ae0a19f738dfef527c2281ce7bebaa28ca028941903f4/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 18:26:12 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h4bsytqy5twqkkbk4cqz644n732spqridtt35ovcrsqcrfazap2a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
174d091dcf5a5b2c4af35b5df2e4094ddf31bc589208f7b79ff5fc0db2dde514
NetWire
3db99896428786088fbe532fa990f3f1ae746ae484a694366bf074dcafe1eb22
NetWire
418cf2d183b0ad4239752ae06861e629bf3e8f5ffec607c3eb4fae2ce130a5ff
NetWire
68a28a1fbf14618f4239f6f1229e242fd3180d1382f0b7f4e12b7982a5ad5f28
NetWire
7a66553c936c327966af58c1b967b05767bfab5a68660dbcb79fb0724401e32c
NetWire
8143a5d0347139eadfdd5d38ceaf661057603f9245c70116f31b85fb07de02aa
NetWire
8a5035fd03311d20137b4111bee190142fa9c653ed60e57be2802665fe8bdb24
NetWire
a2856e021b71721e15a64bcd1692b67962ba637c735952c6b1b797f279c0bfb5
NetWire
ece26faace5bcf7afeba359279d17aeb7f99f739fce454e964c88ebad9745bdb
NetWire
+ 562 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210921-w277aachbq/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
NETW22.DDNS.NET:6655
NETW11.DDNS.NET:6655
NETW33.DDNS.NET:6655
NETW44.DDNS.NET:6655
NETW55.DDNS.NET:6655
NETW66.DDNS.NET:6655
NETW77.DDNS.NET:6655
NETW88.DDNS.NET:6655
Unpacked files
SH256 hash:
9df5839fe41103d241af27c07ec4fce4adfb9129cb57fe6d3fd9a396a750fb49
MD5 hash:
36e70e671e5390c2363ea8803df1c84a
SHA1 hash:
8905d18a2eb8299c800331aee4bbd05afa8f5bcc
Link:
https://www.unpac.me/results/01642ea6-96e3-4b94-8a12-a2f6fc168421/
SH256 hash:
3f032c4e18eced05282ae0a19f738dfef527c2281ce7bebaa28ca028941903f4
MD5 hash:
efbc39d4e89b9cf1402acacbc11f7816
SHA1 hash:
9d6d12ead04e8a7fd75e300d26701a6d9725cccc
Link:
https://www.unpac.me/results/01642ea6-96e3-4b94-8a12-a2f6fc168421/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/3f032c4e18eced05282ae0a19f738dfef527c2281ce7bebaa28ca028941903f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189952/

Comments