MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 474bf4f51f1a8bc1e58b372f0ecefa4361b0756292f72b25e0fa172746a2cae7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 474bf4f51f1a8bc1e58b372f0ecefa4361b0756292f72b25e0fa172746a2cae7
SHA3-384 hash: bdf90f96aa639b103a9e97395fbf2c0b6f90ce7e7567c6da37dbc14f6ca99e628a0aa89ee1c5c20bfc6019ac6103da39
SHA1 hash: ba717a542a51319924fd6a63d0afc55be421fcf2
MD5 hash: 4b383787a42eae23f313732048c62324
humanhash: fanta-avocado-pasta-twenty
File name:Required Purchase List 30012.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'298'432 bytes
First seen:2021-09-24 13:25:44 UTC
Last seen:2021-09-24 14:15:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:CqAEDuqlt51b9WkIFCANzjw6bm1uQqqU1uG1qW/q:M+uql3WkIFCANdmgQqq4uR
Threatray 573 similar samples on MalwareBazaar
TLSH T18D553A64D16846BAD79F5B7880731030B27F2C50F965BF4D8EE938DA2936F97840AE13
File icon (PE):PE icon
dhash icon 4d342169d4d53569 (3 x OskiStealer, 1 x NetWire)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
208.115.113.39:1919

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
208.115.113.39:1919 https://threatfox.abuse.ch/ioc/226234/

Intelligence

File Origin
# of uploads :
2
# of downloads :
531
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Required Purchase List 30012.exe
Verdict:
Malicious activity
Analysis date:
2021-09-24 13:27:39 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/845ccf18-97c5-48d6-8db5-70e47f9cbbec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191181/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.21403.29946.UNOFFICIAL
Create hunting rule

Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9f3e886-fe9a-4f46-83bd-df8c9974a3cd
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857378
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/474bf4f51f1a8bc1e58b372f0ecefa4361b0756292f72b25e0fa172746a2cae7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 13:26:14 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5f7j5i7dkf4dzmlg4xq5tx2inq3a5lcsl3swjpa7ilsorvczltq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1ca56622a5046a55fd09c9cdc61c262d9db3a009a88e0314e7bb9c64c973e9a7
NetWire
3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078
NetWire
4fc5c83ab8d45e9b46bc1ab2a20e653d868e57f357b7f5b4ba433706594bc2ca
NetWire
65f6a568a39f5285acc4fd58563be987f6a128165ae0b89cffc038a26f4e54b6
NetWire
7511c244b32ec5bc59ff7173ee5aa83a764ea6607522b79cc99c5537907e50e7
NetWire
c2d01f23413e651226add970b8737c03777c0e2717f13c4a4c4ee29231e8832e
NetWire
cf3b59c22659d7931cf9d0338d57af01d63fbb8363ebc4c86be884194ef62e40
NetWire
ddb36550d76aab46cf84a855f0e242d45a7fa4576f1b162fcf41026defecdc3d
NetWire
e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16
NetWire
fcfc89b5ad3b4e406664cdd8408f56fe8b0c9a9eeb50fc821f2e89a9785c9f3e
NetWire
+ 563 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210924-qpj12ahbaq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
serverm17.casacam.net:1919
Unpacked files
SH256 hash:
b1b12f6d71024f97441e4b0033ae056dedc882f2b730d59c468e5eba39d8236f
MD5 hash:
e73077b5b049808b956d7a58998411cc
SHA1 hash:
cc589d28bebf36ff9a1d99dde668b9160b30877c
Link:
https://www.unpac.me/results/7dd6db3b-f2c3-4b0f-b7a2-be582db7a554/
SH256 hash:
9bcbdb7ef6596e9605e2e2dd269923e616f7db63f7d93faf5a535251da357ef1
MD5 hash:
3dbdfbcb0a218a57bb0a0772e49720cf
SHA1 hash:
834bb4bf58b78ffb2a689b04a572c6f8361d7cb7
Link:
https://www.unpac.me/results/7dd6db3b-f2c3-4b0f-b7a2-be582db7a554/
SH256 hash:
ff65ca5b8d4aafe4c95438b8cd0c92059ba7a9e369813aa15e8185e7a3740466
MD5 hash:
83dea878d521a443558c54e14b0b4bbc
SHA1 hash:
5bffd3f84f5f2c12f15e48f7b589a213870a9805
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/7dd6db3b-f2c3-4b0f-b7a2-be582db7a554/
SH256 hash:
efd2f7657839b252c2fb8489c1ccf610b8e57b471efe049de86a74bc1506775d
MD5 hash:
c3f3e4a9e9ab54bf847a9fc02e7a2160
SHA1 hash:
0853bec33e36ede763927cda0f03129ca763bc07
Link:
https://www.unpac.me/results/7dd6db3b-f2c3-4b0f-b7a2-be582db7a554/
SH256 hash:
474bf4f51f1a8bc1e58b372f0ecefa4361b0756292f72b25e0fa172746a2cae7
MD5 hash:
4b383787a42eae23f313732048c62324
SHA1 hash:
ba717a542a51319924fd6a63d0afc55be421fcf2
Link:
https://www.unpac.me/results/7dd6db3b-f2c3-4b0f-b7a2-be582db7a554/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/474bf4f51f1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/474bf4f51f1a8bc1e58b372f0ecefa4361b0756292f72b25e0fa172746a2cae7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/191181/

Comments