MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a762e8f8af34dcfcd469d9e9bfb43c977cd878d939527053a46dd580e654c80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a762e8f8af34dcfcd469d9e9bfb43c977cd878d939527053a46dd580e654c80
SHA3-384 hash: f8acf5e74bd324f38d45f6a43dca2598d6cf0ecaae321c3f6fffb72b2d089e948757b60b86c2cb8ac0973c86a5b944e3
SHA1 hash: 5aa37d9479803a1fa692974323849d1eaad34328
MD5 hash: 89e0f3ba3b0356030882a5d993c44a96
humanhash: iowa-illinois-mountain-hot
File name:4a762e8f8af34dcfcd469d9e9bfb43c977cd878d93952.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:996'864 bytes
First seen:2022-06-29 04:43:04 UTC
Last seen:2022-06-29 05:36:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:Z/T/Fe/XfuVhBfTxDYJdWhrXANa41/7tjk:Z/Fe/WVLftY7AbANRDZk
TLSH T16025CF1453E89E97C46F0B3DE0A12B1947B6F101E34BE70B5798F5F5AE927A0CD88287
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
91.193.75.135:4736

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.193.75.135:4736 https://threatfox.abuse.ch/ioc/733911/

Intelligence

File Origin
# of uploads :
2
# of downloads :
428
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/284091/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Forced shutdown of a system process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62bbd894a80f69eaf349ad28/reports/9309aba4-3535-4cdb-858c-91c59d8df00a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e5b74625-687e-41c4-8f4a-0b93e1c04996
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1021604
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 654100 Sample: 4a762e8f8af34dcfcd469d9e9bf... Startdate: 29/06/2022 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Yara detected NetWire RAT 2->35 37 Yara detected AntiVM3 2->37 39 7 other signatures 2->39 7 4a762e8f8af34dcfcd469d9e9bfb43c977cd878d93952.exe 7 2->7         started        process3 file4 25 C:\Users\user\AppData\Roaming\KTNWVfSfr.exe, PE32 7->25 dropped 27 C:\Users\...\KTNWVfSfr.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmpC549.tmp, XML 7->29 dropped 31 4a762e8f8af34dcfcd...cd878d93952.exe.log, ASCII 7->31 dropped 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Adds a directory exclusion to Windows Defender 7->43 11 powershell.exe 25 7->11         started        13 powershell.exe 24 7->13         started        15 schtasks.exe 1 7->15         started        17 5 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a762e8f8af34dcfcd469d9e9bfb43c977cd878d939527053a46dd580e654c80/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-29 04:44:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jj3c5d4k6ng47tkgtwpjx62dzf343b4nsoksobj2i3ovqdtfjsaa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220629-fctdtsegbk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
20220627.duckdns.org:4736
Unpacked files
SH256 hash:
5723367d7cd48b98eb468740ee30085b10bfa3d6a9774e36936e6026aa58af05
MD5 hash:
ccb0686ddfcd782f6adaab81f29a9348
SHA1 hash:
fb2138780442d54c9b367ae901c7150c1d21f087
Link:
https://www.unpac.me/results/30efe910-13d3-418a-8758-be672bdf3d47/
SH256 hash:
a08b8d12789500fae3a855dc5ac1d02003d72a5a2ed33afe7655bd6f3b530d48
MD5 hash:
9752a34c36de25f3829f861af1456acc
SHA1 hash:
f4717a8f3a8ad5187a667edbf645c2a652b7b734
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/30efe910-13d3-418a-8758-be672bdf3d47/
SH256 hash:
5d2ff5c0d3795cd61ae8038954945c1a227b74ea3ba2d0401dd68fb3fe566a67
MD5 hash:
948a0bbe2a13e70444900cfcd445411e
SHA1 hash:
d2443b23d04a89cd65a96d1ad12e13c1b9348c3b
Link:
https://www.unpac.me/results/30efe910-13d3-418a-8758-be672bdf3d47/
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/30efe910-13d3-418a-8758-be672bdf3d47/
SH256 hash:
2bc955afceb733aa6bf58d300c3b5e83e0d16262966a3727b3fd61a2742d1898
MD5 hash:
56549a71aea3aee4149f15d1706c450e
SHA1 hash:
1d2ca1a864e03f5dac6dddc0ee49a951da5a7ab1
Link:
https://www.unpac.me/results/30efe910-13d3-418a-8758-be672bdf3d47/
SH256 hash:
4a762e8f8af34dcfcd469d9e9bfb43c977cd878d939527053a46dd580e654c80
MD5 hash:
89e0f3ba3b0356030882a5d993c44a96
SHA1 hash:
5aa37d9479803a1fa692974323849d1eaad34328
Link:
https://www.unpac.me/results/30efe910-13d3-418a-8758-be672bdf3d47/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a762e8f8af3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a762e8f8af34dcfcd469d9e9bfb43c977cd878d939527053a46dd580e654c80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_netwire_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/284091/

Comments