MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48234f92733d9fb1716311a65d8509d8f6c1eaae34dec31cb504663177978afc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 5 File information Comments

SHA256 hash:	48234f92733d9fb1716311a65d8509d8f6c1eaae34dec31cb504663177978afc
SHA3-384 hash:	ab0ae7d9feaf873d77110a1038146b52f97f1b446195986314a419742fc3bc7803c339ba8b5660aeed1747db2659ab51
SHA1 hash:	ece8a44ddfdc56f8598031087fc52a0088e886af
MD5 hash:	c86fbdf4cf96a1a44129bb7b4cd1759f
humanhash:	summer-paris-fish-kentucky
File name:	INV00378382.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	858'112 bytes
First seen:	2022-02-09 08:06:02 UTC
Last seen:	2022-02-09 11:27:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:whqbhMFHEVnyIHw2jkpR4vqGCZbgoSxPea9:wqysyIHw2jFvPOba
Threatray	1'676 similar samples on MalwareBazaar
TLSH	T15905483BCEAE193DC1ECC67198BC8DEBB452E87678B35618998625D745733F2208112F
File icon (PE):
dhash icon	4cb2b232d3c8c453 (1 x NetWire, 1 x AsyncRAT)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
173.249.17.53:6688

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
173.249.17.53:6688	https://threatfox.abuse.ch/ioc/384482/

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

INV00378382.lzh

Verdict:

Malicious activity

Analysis date:

2022-02-09 08:42:07 UTC

Tags:

trojan rat netwire

Link:

https://app.any.run/tasks/389a96dd-bc04-4365-a827-a0328f886862

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/239298/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.25375.17251.15693.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/620375f84077c8b9a0254dac/reports/d197b074-1b25-40ea-ba6c-17ca73dd219f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/188a9320-6450-445a-b2ba-57ca846de9da

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/936603

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/48234f92733d9fb1716311a65d8509d8f6c1eaae34dec31cb504663177978afc/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-09 08:06:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jaru7etthwp3c4ldcgtf3bij3d3md2vogtpmghfvartdc54xrl6a._file

Verdict:

malicious

NetWire

3bea5fb4e6d7f626a3448f9815c3ed932a8bf14fc7eab5739cc5dc69de03960c

NetWire

3e3fd118a25473a4efba75d9e99a5aebe0f78779aaf6fb73984321ef119cd8c0

NetWire

5aa439b46631f4deaf5781de945ce1a4a485e56e04e84752942f0eb1a168df08

NetWire

6c323c672a1abb6bf5a72d076e04b16a915015274d0d0bec7b198bda8989a39a

NetWire

bfe9ad7b12ddd211d983b9a81e7024bad6347bd2e6dd259e9992c445bfd628be

NetWire

dee97701b9efd9fb63543937eaa14a678a87cc5574fce52360650d3be1448ae1

NetWire

e839e0292780fb5adef7b827b4dcac7a5fa2063904a529126b3fa0ea85ee3735

NetWire

+ 1'666 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220209-jzfm2ahhaj/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

podzeye.duckdns.org:6688

Unpacked files

SH256 hash:

b66005dc07dfa69e641d14e17949cec365c434b530231273753d9ff4186fe361

MD5 hash:

82755a1afc921dcdb587b5feea62327d

SHA1 hash:

b45bf03cc7d0238096ab6d2090866e02eff28525

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/64ed9c80-9ff1-496c-b9a2-48123a8eca0e/

SH256 hash:

0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9

MD5 hash:

263b5190f7ac42d83c756dcdf38147bb

SHA1 hash:

78f419fe3936ed7d603706c47230cd3e6ff79ffe

Link:

https://www.unpac.me/results/64ed9c80-9ff1-496c-b9a2-48123a8eca0e/

SH256 hash:

afcc215a89aef798838bb538c8bba8210cb21872f66136de566d3ed9315600ee

MD5 hash:

4f4ecbca3bde5742d44e99549117004a

SHA1 hash:

2a08aaabcc303a0cb006ebef22c2fa878dd3f342

Link:

https://www.unpac.me/results/64ed9c80-9ff1-496c-b9a2-48123a8eca0e/

SH256 hash:

48234f92733d9fb1716311a65d8509d8f6c1eaae34dec31cb504663177978afc

MD5 hash:

c86fbdf4cf96a1a44129bb7b4cd1759f

SHA1 hash:

ece8a44ddfdc56f8598031087fc52a0088e886af

Link:

https://www.unpac.me/results/64ed9c80-9ff1-496c-b9a2-48123a8eca0e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/48234f92733d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_NetWire Create hunting rule
Author:	ditekSHen
Description:	Detects NetWire RAT

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/239298/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample